From 5e894ea6661cb7cf4e46977364f0ed30682418ba Mon Sep 17 00:00:00 2001
From: tobias
Date: Thu, 16 Apr 2020 17:12:49 +0000
Subject: Prevent out of boundary write with configuration files in which too
 many quoted arguments are stored for other window managers.

The quotation handling happens within the while loop without checking if
the "end" limit has been already reached. If this happens, the final
NULL assignment leads to an out of boundary write on stack.

OK okan@
---
 util.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/util.c b/util.c
index cb101ee..381d6ae 100644
--- a/util.c
+++ b/util.c
@@ -15,7 +15,7 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
- * $OpenBSD: util.c,v 1.25 2020/02/27 14:56:39 okan Exp $
+ * $OpenBSD: util.c,v 1.26 2020/04/16 17:12:49 tobias Exp $
  */
 
 #include <sys/types.h>
@@ -53,7 +53,7 @@ u_exec(char *argstr)
 {
 #define MAXARGLEN 20
 	char	*args[MAXARGLEN], **ap = args;
-	char	**end = &args[MAXARGLEN - 1], *tmp;
+	char	**end = &args[MAXARGLEN - 2], *tmp;
 	char	*s = argstr;
 
 	while (ap < end && (*ap = strsep(&argstr, " \t")) != NULL) {
-- 
cgit v1.2.3-2-gb3c3