From 0301420fcbf77c7e2a2d3f75073243b0000f25a9 Mon Sep 17 00:00:00 2001
From: nhmall <nhmall@nethack.org>
Date: Mon, 19 Feb 2018 10:19:44 -0500
Subject: [PATCH] fix reported stack corruption bug during Call

Fix an issue reported as github #74.
Some guard code was required to prevent writing past end of qbuf
via a sprintf.
---
 src/do_name.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/do_name.c b/src/do_name.c
index 6e3bfd981..db226a548 100644
--- a/src/do_name.c
+++ b/src/do_name.c
@@ -1415,12 +1415,19 @@ register struct obj *obj;
     otemp.quan = 1L;
     otemp.oextra = (struct oextra *) 0;
 
-    if (objects[otemp.otyp].oc_class == POTION_CLASS && otemp.fromsink)
+    if (objects[otemp.otyp].oc_class == POTION_CLASS && otemp.fromsink) {
         /* kludge, meaning it's sink water */
         Sprintf(qbuf, "Call a stream of %s fluid:",
-                OBJ_DESCR(objects[otemp.otyp]));
-    else
-        Sprintf(qbuf, "Call %s:", an(xname(&otemp)));
+            OBJ_DESCR(objects[otemp.otyp]));
+    } else {
+        char tmpbuf[BUFSZ], *tmpname = an(xname(&otemp));
+
+        if (strlen(tmpname) < (BUFSZ - 1)) {
+            Strcpy(tmpbuf, tmpname);
+            tmpbuf[QBUFSZ - 7] = '\0'; /* need room for "Call :"*/
+            Sprintf(qbuf, "Call %s:", tmpbuf);
+        }
+    }
     getlin(qbuf, buf);
     if (!*buf || *buf == '\033')
         return;