From: Willi Mann <willi@debian.org>
Date: Sat, 31 Dec 2016 14:43:10 +0100
Subject: convert.c: Use safe buffer size and snprintf

cmd_expand, cmd_emboss, and cmd_engrave print an integer to a stack buffer.
Unfortunately, the previous buffer size of 10 is to small (e.g., to store -1 *
10^9), such that a buffer overflow could be provoked. This patch increases the
buffer size to 12 and switches to snprintf.

Bug-Debian: https://bugs.debian.org/849705
---
 src/convert.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/convert.c b/src/convert.c
index c76d7d6..5294743 100644
--- a/src/convert.c
+++ b/src/convert.c
@@ -1373,9 +1373,9 @@ cmd_ftech (Word *w, int align, char has_param, int param) {
 
 static int 
 cmd_expand (Word *w, int align, char has_param, int param) {
-	char str[10];
+	char str[12];
 	if (has_param) {
-		sprintf(str, "%d", param/4);
+		snprintf(str, 12, "%d", param/4);
 		if (!param) 
 			attr_pop(ATTR_EXPAND);
 		else 
@@ -1394,7 +1394,7 @@ cmd_expand (Word *w, int align, char has_param, int param) {
 
 static int 
 cmd_emboss (Word *w, int align, char has_param, int param) {
-	char str[10];
+	char str[12];
 	if (has_param && !param)
 #ifdef SUPPORT_UNNESTED
 		attr_find_pop(ATTR_EMBOSS);
@@ -1403,7 +1403,7 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
 #endif
 	else
 	{
-		sprintf(str, "%d", param);
+		snprintf(str, 12, "%d", param);
 		attr_push(ATTR_EMBOSS, str);
 	}
 	return FALSE;
@@ -1419,12 +1419,12 @@ cmd_emboss (Word *w, int align, char has_param, int param) {
 
 static int 
 cmd_engrave (Word *w, int align, char has_param, int param) {
-	char str[10];
+	char str[12];
 	if (has_param && !param) 
 		attr_pop(ATTR_ENGRAVE);
 	else
 	{
-		sprintf(str, "%d", param);
+		snprintf(str, 12, "%d", param);
 		attr_push(ATTR_ENGRAVE, str);
 	}
 	return FALSE;