From d57257d653404cfcce89f6565b7839b55b458dbf Mon Sep 17 00:00:00 2001
From: Renaud Fivet <renaud.fivet@gmail.com>
Date: Thu, 19 Mar 2015 20:52:55 +0800
Subject: [PATCH] FIX: User variable names first 10 characters are now
 significant. Also CID 39927 Unbounded source buffer, 39933 Copy into fixed
 size buffer.

---
 eval.c | 20 +++++++++++---------
 exec.c |  3 +++
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/eval.c b/eval.c
index 55b656e..2e19d2b 100644
--- a/eval.c
+++ b/eval.c
@@ -620,8 +620,9 @@ static char *gtusr( char *vname) {
 	/* scan the list looking for the user var name */
 	for (vnum = 0; vnum < MAXVARS; vnum++) {
 		if (uv[vnum].u_name[0] == 0)
-			return errorm;
-		if (strcmp(vname, uv[vnum].u_name) == 0)
+			break ;
+
+		if( strncmp( vname, uv[ vnum].u_name, NVSIZE) == 0)
 			return uv[vnum].u_value;
 	}
 
@@ -773,12 +774,12 @@ int setvar(int f, int n)
 {
 	int status;	/* status return */
 	struct variable_description vd;		/* variable num/type */
-	char var[NVSIZE + 1];	/* name of variable to fetch */
+	char var[NVSIZE + 2];	/* name of variable to fetch %1234567890\0 */
 	char value[ 2 * NSTRING] ;	/* value to set variable to */
 
 	/* first get the variable to set.. */
 	if (clexec == FALSE) {
-		status = mlreply("Variable to set: ", &var[0], NVSIZE);
+		status = mlreply( "Variable to set: ", var, sizeof var) ;
 		if (status != TRUE)
 			return status;
 	} else {		/* macro line argument */
@@ -787,7 +788,7 @@ int setvar(int f, int n)
 	}
 
 	/* check the legality and find the var */
-	findvar(var, &vd, NVSIZE + 1);
+	findvar( var, &vd, sizeof var) ;
 
 	/* if its not legal....bitch */
 	if (vd.v_type == -1) {
@@ -855,10 +856,9 @@ int mdbugout( char *fmt, char *s1, char *s2, char *s3) {
  */
 static void findvar(char *var, struct variable_description *vd, int size)
 {
-	unsigned vnum ;	/* subscript in variable arrays */
+	unsigned vnum = 0 ;	/* subscript in variable arrays */
 	int vtype;	/* type to return */
 
-	vnum = -1;
 fvar:
 	vtype = -1;
 	switch (var[0]) {
@@ -884,7 +884,8 @@ fvar:
 		for (vnum = 0; vnum < MAXVARS; vnum++)
 			if (uv[vnum].u_name[0] == 0) {
 				vtype = TKVAR;
-				strcpy(uv[vnum].u_name, &var[1]);
+				strncpy( uv[ vnum].u_name, &var[ 1], NVSIZE) ;
+				uv[ vnum].u_name[ NVSIZE] = '\0' ;
 				break;
 			}
 		break;
@@ -894,7 +895,8 @@ fvar:
 		if (strcmp(&var[1], "ind") == 0) {
 			/* grab token, and eval it */
 			gettoken( var, size) ;
-			strcpy(var, getval(var));
+			strncpy( var, getval( var), size - 1) ;
+			var[ size - 1] = '\0' ;
 			goto fvar;
 		}
 	}
diff --git a/exec.c b/exec.c
index bc49e3d..5495508 100644
--- a/exec.c
+++ b/exec.c
@@ -318,6 +318,9 @@ int nextarg(const char *prompt, char *buffer, int size, int terminator)
         return getstring(prompt, buffer, size, terminator);
 
 	tmpbuf = malloc( size) ;
+	if( tmpbuf == NULL)
+		return FALSE ;
+
     /* grab token and advance past */
 	gettoken( tmpbuf, size) ;