From 174cd59616620a07aba0315359cc9176797b417b Mon Sep 17 00:00:00 2001
From: nhmall <nhmall@nethack.org>
Date: Mon, 31 May 2021 10:21:44 -0400
Subject: [PATCH] potential buffer overflow in append_str

fixes #524
---
 src/pager.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/pager.c b/src/pager.c
index 9f8cf059a..73e1a70bd 100644
--- a/src/pager.c
+++ b/src/pager.c
@@ -60,16 +60,18 @@ is_swallow_sym(int c)
 static int
 append_str(char *buf, const char *new_str)
 {
-    int space_left; /* space remaining in buf */
+    size_t size2append, space_left;
+    const char sep[] = " or ";
 
     if (strstri(buf, new_str))
         return 0;
 
-    space_left = BUFSZ - strlen(buf) - 1;
-    if (space_left < 1)
+    space_left = BUFSZ - strlen(buf);  /* space remaining in buf */
+    size2append = strlen(new_str) + sizeof sep; /* latter includes '\0' */
+    if (space_left < size2append)
         return 0;
-    (void) strncat(buf, " or ", space_left);
-    (void) strncat(buf, new_str, space_left - 4);
+    Strcat(buf, sep);
+    Strcat(buf, new_str);
     return 1;
 }