From 9f6966e20f8163faf3daf30bc551d9fec0f13c59 Mon Sep 17 00:00:00 2001
From: jsm <jsm@NetBSD.org>
Date: Mon, 13 Sep 1999 17:19:55 +0000
Subject: Fix buffer overrun in rogue.

---
 rogue/save.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

(limited to 'rogue/save.c')

diff --git a/rogue/save.c b/rogue/save.c
index c0ce0033..d306d924 100644
--- a/rogue/save.c
+++ b/rogue/save.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: save.c,v 1.5 1998/11/10 13:01:32 hubertf Exp $	*/
+/*	$NetBSD: save.c,v 1.6 1999/09/13 17:19:55 jsm Exp $	*/
 
 /*
  * Copyright (c) 1988, 1993
@@ -41,7 +41,7 @@
 #if 0
 static char sccsid[] = "@(#)save.c	8.1 (Berkeley) 5/31/93";
 #else
-__RCSID("$NetBSD: save.c,v 1.5 1998/11/10 13:01:32 hubertf Exp $");
+__RCSID("$NetBSD: save.c,v 1.6 1999/09/13 17:19:55 jsm Exp $");
 #endif
 #endif /* not lint */
 
@@ -83,15 +83,23 @@ save_into_file(sfile)
 {
 	FILE *fp;
 	int file_id;
-	char name_buffer[80];
+	char *name_buffer;
+	size_t len;
 	char *hptr;
 	struct rogue_time rt_buf;
 
 	if (sfile[0] == '~') {
 		if ((hptr = md_getenv("HOME")) != NULL) {
-			(void) strcpy(name_buffer, hptr);
-			(void) strcat(name_buffer, sfile+1);
-			sfile = name_buffer;
+			len = strlen(hptr) + strlen(sfile);
+			name_buffer = md_malloc(len);
+			if (name_buffer == NULL) {
+				message("out of memory for save file name", 0);
+				sfile = error_file;
+			} else {
+				(void) strcpy(name_buffer, hptr);
+				(void) strcat(name_buffer, sfile+1);
+				sfile = name_buffer;
+			}
 		}
 	}
 	if (	((fp = fopen(sfile, "w")) == NULL) ||
-- 
cgit v1.2.3-56-ge451