From 690ee9abdac7881e570c45efaa4189d3a4ef90da Mon Sep 17 00:00:00 2001
From: rswindell <>
Date: Tue, 9 Jun 2009 04:59:19 +0000
Subject: [PATCH] Bug-fix: when wordwrap() was called with an inbuf with no
 LF's, the part that automatically appends a \r\n to the linebuf ("Trailing
 bits") would exceed the malloc'd  buffer by one byte and corrupt the heap.

---
 src/sbbs3/wordwrap.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/sbbs3/wordwrap.c b/src/sbbs3/wordwrap.c
index 1d2d076d8a..ea2a1e8877 100644
--- a/src/sbbs3/wordwrap.c
+++ b/src/sbbs3/wordwrap.c
@@ -190,7 +190,7 @@ char* wordwrap(char* inbuf, int len, int oldlen, BOOL handle_quotes)
 		return NULL;
 	outp=outbuf;
 
-	if((linebuf=(char*)malloc(inbuf_len+1))==NULL) /* room for ^A codes */
+	if((linebuf=(char*)malloc(inbuf_len+2))==NULL) /* room for ^A codes */
 		return NULL;
 
 	if(handle_quotes) {
@@ -400,8 +400,7 @@ char* wordwrap(char* inbuf, int len, int oldlen, BOOL handle_quotes)
 				memmove(inbuf, inbuf+1, strlen(inbuf));
 		}
 	}
-
-	free(linebuf);
+ 	free(linebuf);
 
 	if(prefix)
 		free(prefix);
-- 
GitLab