dtdocbook/instant: fix buffer overlow on German umlaut in latin-1

One-off error:

Old buffer length was 6 for one character (3 * 1 + 3)
We need one more byte par character in the buffer for
the hex representation of it.

+0 '"'
+1 '\\'
+2 'x'
+3 'f'
+4 'c'
+5 '"'
+6 0x0 << overflow

tcl combined with RCHECK will abort because memory blocks
are allocated contiguously and we overwrite the magic marker
of the next block.

diff --git a/cde/programs/dtdocbook/instant/main.c b/cde/programs/dtdocbook/instant/main.c
index 7dfe91c606e2b6aa1f0c54f25a0fa90ef7581f20..a3762bded9d439cb0ea7c3354d6f7122a3682d6d 100644 (file)
--- a/cde/programs/dtdocbook/instant/main.c
+++ b/cde/programs/dtdocbook/instant/main.c
@@ -359,7 +359,7 @@ static int DefaultOutputString(ClientData clientData,
 
     /* leave room for worst case expansion plus quotes plus null */
     pArgv = argv[1];
-    stringLength = (3 * strlen(pArgv)) + 3;
+    stringLength = (4 * strlen(pArgv)) + 3;
 
     string = Tcl_Alloc(stringLength);
     memset(string, 0, stringLength);