Menu parser: added boundary checks in the path-gen for #include file search

When generating the full path+name of file to search for a file
being #included, it was generated in a buffer that's supposedly
large enough (MAXLINE > 2*PATH_MAX). However, this limit has a few
issues (PATH_MAX seem to be able to be bigger, and worse: we can't
be sure we're given longer args).

The code was rewrote to natively include boundary checks so we're
sure we won't overflow the buffer. A few strncpy have been removed
because in this case they tend to make things harder to write.

WINGs/menuparser.c

@@ -474,22 +474,31 @@ static Bool menu_parser_include_file(WMenuParser parser)
 	if (fh == NULL) {
 		if (req_filename[0] != '/') {
 			const char *src;
+			int idx;
 
 			fullfilename = buffer;
 			src = parser->include_default_paths;
 			while (*src != '\0') {
-				p = buffer;
+				idx = 0;
 				if (*src == '~') {
 					char *home = wgethomedir();
-					while (*home != '\0')
+					while (*home != '\0') {
-						*p++ = *home++;
+						if (idx < sizeof(buffer) - 2)
+							buffer[idx++] = *home;
+						home++;
+					}
 					src++;
 				}
-				while ((*src != '\0') && (*src != ':'))
+				while ((*src != '\0') && (*src != ':')) {
-					*p++ = *src++;
+					if (idx < sizeof(buffer) - 2)
-				*p++ = '/';
+						buffer[idx++] = *src;
-				strncpy(p, req_filename, sizeof(buffer) - (p - buffer - 1));
+					src++;
-				buffer[sizeof(buffer) - 1] = '\0';
+				}
+				buffer[idx++] = '/';
+				for (p = req_filename; *p != '\0'; p++)
+					if (idx < sizeof(buffer) - 1)
+						buffer[idx++] = *p;
+				buffer[idx] = '\0';
 
 				fh = fopen(fullfilename, "rb");
 				if (fh != NULL) goto found_valid_file;