From ec8be891e233fca8d33f5452b5bfc97fe0ac7d51 Mon Sep 17 00:00:00 2001
From: H.G. Muller <h.g.muller@hccnet.nl>
Date: Wed, 17 Nov 2010 13:40:20 +0100
Subject: [PATCH] Fix safety crash when appending comments

The length limit imposed on safeStrCpy was one too short when copying
an existing comment to the space allocated for the longer (concatenated)
one. It allowed no space for the terminating '\0'.
---
 backend.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/backend.c b/backend.c
index 6e544c0..a887fb6 100644
--- a/backend.c
+++ b/backend.c
@@ -13373,7 +13373,7 @@ if(appData.debugMode) fprintf(debugFP, "Append: in='%s' %d\n", text, addBraces);
 	while(commentList[index][oldlen-1] ==  '\n')
 	  commentList[index][--oldlen] = NULLCHAR;
 	commentList[index] = (char *) malloc(oldlen + len + 6); // might waste 4
-	safeStrCpy(commentList[index], old, oldlen);
+	safeStrCpy(commentList[index], old, oldlen + len + 6);
 	free(old);
 	// [HGM] braces: join "{A\n}\n" + "{\nB}" as "{A\nB\n}"
 	if(commentList[index][oldlen-1] == '}' && (text[0] == '{' || addBraces)) {
-- 
1.7.0.4