Added an explicit buffer limit check in msdosify() (patch based on FreeBSD).

This couldn't ever overflow in curl, but might if the code were used
elsewhere or under different conditions.

CHANGES

@@ -10,6 +10,10 @@ Daniel Fandrich (4 Feb 2009)
 - Don't add the standard /usr/lib or /usr/include paths to LDFLAGS and CPPFLAGS
   (respectively) when --with-ssl=/usr is used (patch based on FreeBSD).
 
+- Added an explicit buffer limit check in msdosify() (patch based on FreeBSD).
+  This couldn't ever overflow in curl, but might if the code were used
+  elsewhere or under different conditions.
+
 Daniel Stenberg (3 Feb 2009)
 - Hidemoto Nakada provided a small fix that makes it possible to get the
   CURLINFO_CONTENT_LENGTH_DOWNLOAD size from file:// "transfers" with

src/main.c

@@ -5350,12 +5350,14 @@ static char *basename(char *path)
 static const char *
 msdosify (const char *file_name)
 {
-  static char dos_name[PATH_MAX*2];
-  static const char illegal_chars_dos[] = ".+, ;=[]|<>\\\":?*";
+  static char dos_name[PATH_MAX];
+  static const char illegal_chars_dos[] = ".+, ;=[]" /* illegal in DOS */
+                                       "|<>\\\":?*"; /* illegal in DOS & W95 */
   static const char *illegal_chars_w95 = &illegal_chars_dos[8];
   int idx, dot_idx;
   const char *s = file_name;
   char *d = dos_name;
+  const char * const dlimit = dos_name + sizeof(dos_name) - 1;
   const char *illegal_aliens = illegal_chars_dos;
   size_t len = sizeof (illegal_chars_dos) - 1;
   int lfn = 0;
@@ -5376,7 +5378,7 @@ msdosify (const char *file_name)
     *d++ = *s++;
   }
 
-  for (idx = 0, dot_idx = -1; *s; s++, d++) {
+  for (idx = 0, dot_idx = -1; *s && d < dlimit; s++, d++) {
     if (memchr (illegal_aliens, *s, len)) {
       /* Dots are special: DOS doesn't allow them as the leading character,
          and a file name cannot have more than a single dot.  We leave the