From 6eed1dc7ca8ab52606ec1a04426f2b99e73238d4 Mon Sep 17 00:00:00 2001
From: Helmut Grohne <helmut@subdivi.de>
Date: Tue, 28 Jul 2009 14:22:31 +0200
Subject: [PATCH] improved expand function

 * removed unneeded variables
 * put an end to fixed length buffer ret
 * fixed a bug where string[-1] could be accessed
---
 uzbl.c |   38 +++++++++++++++++---------------------
 1 file changed, 17 insertions(+), 21 deletions(-)

diff --git a/uzbl.c b/uzbl.c
index ccd07e6..afcdb6b 100644
--- a/uzbl.c
+++ b/uzbl.c
@@ -54,6 +54,7 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <signal.h>
+#include <assert.h>
 #include "uzbl.h"
 #include "config.h"
 
@@ -240,10 +241,8 @@ gchar *
 expand(const char *s, guint recurse) {
     uzbl_cmdprop *c;
     guint etype;
-    char upto = ' ';
     char *end_simple_var = "^Â°!\"Â§$%&/()=?'`'+~*'#-.:,;@<>| \\{}[]Â¹Â²Â³Â¼Â½";
-    char str_end[3];
-    char ret[4096];
+    char *ret = NULL;
     char *vend = NULL;
     GError *err = NULL;
     gchar *cmd_stdout = NULL;
@@ -268,37 +267,31 @@ expand(const char *s, guint recurse) {
                         if(!vend) vend = strchr(s, '\0');
                         break;
                     case EXP_BRACED_VAR:
-                        s++; upto = '}';
-                        vend = strchr(s, upto);
+                        s++;
+                        vend = strchr(s, '}');
                         if(!vend) vend = strchr(s, '\0');
                         break;
                     case EXP_EXPR:
                         s++;
-                        strcpy(str_end, ")@");
-                        str_end[2] = '\0';
-                        vend = strstr(s, str_end);
+                        vend = strstr(s, ")@");
                         if(!vend) vend = strchr(s, '\0');
                         break;
                     case EXP_JS:
                         s++;
-                        strcpy(str_end, ">@");
-                        str_end[2] = '\0';
-                        vend = strstr(s, str_end);
+                        vend = strstr(s, ">@");
                         if(!vend) vend = strchr(s, '\0');
                         break;
                     case EXP_ESCAPE:
                         s++;
-                        strcpy(str_end, "]@");
-                        str_end[2] = '\0';
-                        vend = strstr(s, str_end);
+                        vend = strstr(s, "]@");
                         if(!vend) vend = strchr(s, '\0');
                         break;
                 }
+                assert(vend);
 
-                if(vend) {
-                    strncpy(ret, s, vend-s);
-                    ret[vend-s] = '\0';
-                }
+                ret = strndup(s, vend-s);
+                if(!ret)
+                        abort();
 
                 if(etype == EXP_SIMPLE_VAR ||
                    etype == EXP_BRACED_VAR) {
@@ -329,10 +322,10 @@ expand(const char *s, guint recurse) {
                         g_error_free (err);
                     }
                     else if (*cmd_stdout) {
-                        int len = strlen(cmd_stdout);
+                        size_t len = strlen(cmd_stdout);
 
-                        if(cmd_stdout[len-1] == '\n')
-                            cmd_stdout[--len] = 0; /* strip trailing newline */
+                        if(len > 0 && cmd_stdout[len-1] == '\n')
+                            cmd_stdout[--len] = '\0'; /* strip trailing newline */
 
                         g_string_append(buf, cmd_stdout);
                         g_free(cmd_stdout);
@@ -362,6 +355,9 @@ expand(const char *s, guint recurse) {
                     g_free(mycmd);
                     s = vend+2;
                 }
+
+                free(ret);
+                ret = NULL;
                 break;
 
             default:
-- 
1.7.9.5