# Fix remote buffer overflow vulnerability if an excessive remote error is sent
# and processed due to the text buffer overflowing.

# Discovery: Stefan Cornelius <dercorny@gentoo.org> of Gentoo Security
# Patch: Tim Yamin <plasmaroo@gentoo.org> of Gentoo Auditing

http://bugs.gentoo.org/121605

--- bomberclone-0.11.6.2/src/menu.c
+++ bomberclone-0.11.6.2/src/menu.c
@@ -629,7 +629,7 @@
     memset (text, 0, sizeof (text));
     memset (out, 0, sizeof (out));
     va_start (args, fmt);
-    vsprintf (text, fmt, args);
+    vsnprintf (text, 512, fmt, args);
     va_end (args);
 
     menu_formattext (text, out, lines, &linenr, &maxlinelen, MENU_MESSAGES_MAXLINELEN,
@@ -722,7 +724,7 @@
     memset (text, 0, sizeof (text));
     memset (out, 0, sizeof (out));
     va_start (args, fmt);
-    vsprintf (text, fmt, args);
+    vsnprintf (text, 512, fmt, args);
     va_end (args);
 
     menu_formattext (text, out, lines, &linenr, &maxlinelen, MENU_MESSAGES_MAXLINELEN,
--- bomberclone-0.11.6.2/src/menulabels.c
+++ bomberclone-0.11.6.2/src/menulabels.c
@@ -72,7 +72,7 @@
 	memset (text, 0, sizeof (text));
 	memset (out, 0, sizeof (out));
 	va_start (args, fmt);
-	vsprintf (text, fmt, args);
+	vsnprintf (text, 1024, fmt, args);
 	va_end (args);
 
 	menu_formattext (text, out, lineptr, &linecnt, &maxchar, maxlen, maxlines);