From 120e62ec5055777059ebe216b680cb219146f436 Mon Sep 17 00:00:00 2001
From: Joerg Wunsch <joerg@FreeBSD.org>
Date: Mon, 16 Dec 1996 17:32:58 +0000
Subject: [PATCH] Fix yet another buffer overflow. :-(

Vulnerable: all programs that use setlocale(LC_COLLATE),
setlocale(LC_CTYPE), or setlocale(LC_ALL).  The only setuid/setgid
binary i've found for this is w(1).

Should go into 2.2.
---
 lib/libc/locale/collate.c       | 8 +++-----
 lib/libc/locale/setrunelocale.c | 6 ++----
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/lib/libc/locale/collate.c b/lib/libc/locale/collate.c
index a74a1a34fb0..79e410c1a81 100644
--- a/lib/libc/locale/collate.c
+++ b/lib/libc/locale/collate.c
@@ -24,7 +24,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $Id: collate.c,v 1.8 1996/10/23 15:35:43 ache Exp $
+ * $Id: collate.c,v 1.9 1996/11/26 02:49:31 ache Exp $
  */
 
 #include <rune.h>
@@ -73,10 +73,8 @@ __collate_load_tables(encoding)
 		__collate_load_error = save_load_error;
 		return -1;
 	}
-	strcpy(buf, _PathLocale);
-	strcat(buf, "/");
-	strcat(buf, encoding);
-	strcat(buf, "/LC_COLLATE");
+	(void) snprintf(buf, sizeof buf, "%s/%s/LC_COLLATE",
+			_PathLocale, encoding);
 	if ((fp = fopen(buf, "r")) == NULL) {
 		__collate_load_error = save_load_error;
 		return -1;
diff --git a/lib/libc/locale/setrunelocale.c b/lib/libc/locale/setrunelocale.c
index 228efe2908a..cf68a437a97 100644
--- a/lib/libc/locale/setrunelocale.c
+++ b/lib/libc/locale/setrunelocale.c
@@ -85,10 +85,8 @@ _xpg4_setrunelocale(encoding)
 
 	if (!_PathLocale)
 		return(EFAULT);
-	(void) strcpy(name, _PathLocale);
-	(void) strcat(name, "/");
-	(void) strcat(name, encoding);
-	(void) strcat(name, "/LC_CTYPE");
+	(void) snprintf(name, sizeof name, "%s/%s/LC_CTYPE",
+			_PathLocale, encoding);
 
 	if ((fp = fopen(name, "r")) == NULL)
 		return(ENOENT);