Index: support.c =================================================================== RCS file: /cvsroot/proftp/proftpd/src/support.c,v retrieving revision 1.69 diff -u -u -r1.69 support.c --- support.c 13 Jul 2004 17:53:31 -0000 1.69 +++ support.c 28 Nov 2006 15:46:34 -0000 @@ -771,6 +771,12 @@ if ((r = va_arg(args, char *)) == NULL) break; blen += (strlen(r) - strlen(m)); + if (blen < 0) { + /* Integer overflow. In order to overflow this, somebody must be + * doing something very strange. + */ + return s; + } marr[mlen] = m; rarr[mlen++] = r; } @@ -818,10 +824,11 @@ } if (!*mptr) { - if ((cp - pbuf + 1) > blen) { + if ((cp - pbuf + 1) >= blen) { pr_log_pri(PR_LOG_ERR, "WARNING: attempt to overflow internal ProFTPD buffers"); cp = pbuf + blen - 1; + goto done; } *cp++ = *src++; }