From 33328d997e0b39ec2afe06808e801bfed5fc7d0a Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@openbsd.org>
Date: Sat, 5 May 2012 11:06:15 +0200
Subject: [PATCH] Avoid buffer overrun in parseMenuCommand.

In parseMenuCommand, title[300] might get filled with a string of length
300.  The string is copied with strcpy, therefore the size would have to be
301 or -- as I propose -- the fixed value 300 gets replaced with
"sizeof(title) - 1".  This shows also that the size 300 belongs to title
and it will already be replaced during compile-time into 299.
---
 src/appmenu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/appmenu.c b/src/appmenu.c
index 6aac338d..0d6c7f43 100644
--- a/src/appmenu.c
+++ b/src/appmenu.c
@@ -92,7 +92,7 @@ static WMenu *parseMenuCommand(WScreen * scr, Window win, char **slist, int coun
 	char title[300];
 	char rtext[300];
 
-	if (strlen(slist[*index]) > 300) {
+	if (strlen(slist[*index]) > sizeof(title) - 1) {
 		wwarning("appmenu: menu command size exceeded in window %lx", win);
 		return NULL;
 	}