From 54731dd901abc11fb2baa36fbe3c41e9e8ec548b Mon Sep 17 00:00:00 2001
From: Iain Patterson <me@iain.cx>
Date: Mon, 6 Mar 2017 11:48:18 +0000
Subject: [PATCH] Fixed buffer overflow in GUI browse().

Thanks Connor Reynolds.
---
 README.txt | 1 +
 gui.cpp    | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/README.txt b/README.txt
index e6d3d50..eaecac2 100644
--- a/README.txt
+++ b/README.txt
@@ -1043,6 +1043,7 @@ Thanks to Nicolas Ducrocq for suggesting timestamping redirected output.
 Thanks to Meang Akira Tanaka for suggestion and initial implementation of
 the statuscode command.
 Thanks to Kirill Kovalenko for reporting a crash with NANO server.
+Thanks to Connor Reynolds for spotting a potential buffer overflow.
 
 Licence
 -------
diff --git a/gui.cpp b/gui.cpp
index 9c4d712..5aaa932 100644
--- a/gui.cpp
+++ b/gui.cpp
@@ -924,7 +924,7 @@ void browse(HWND window, TCHAR *current, unsigned long flags, ...) {
     va_start(arg, flags);
     while (i = va_arg(arg, int)) {
       TCHAR *localised = message_string(i);
-      _sntprintf_s((TCHAR *) ofn.lpstrFilter + len, bufsize, _TRUNCATE, localised);
+      _sntprintf_s((TCHAR *) ofn.lpstrFilter + len, bufsize - len, _TRUNCATE, localised);
       len += _tcslen(localised) + 1;
       LocalFree(localised);
       TCHAR *filter = browse_filter(i);
-- 
2.20.1