From 838e784c5f912193e1b224dd34ddee9e6ec7f9f1 Mon Sep 17 00:00:00 2001
From: ridiculousfish <corydoras@ridiculousfish.com>
Date: Wed, 16 Oct 2013 01:02:15 -0700
Subject: [PATCH] Fix for buffer overflows identified by libgmalloc

---
 fallback.cpp   | 20 +++++++++++++-------
 parse_util.cpp |  6 ++++--
 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/fallback.cpp b/fallback.cpp
index 7e215bbe7..f469f257a 100644
--- a/fallback.cpp
+++ b/fallback.cpp
@@ -1503,14 +1503,20 @@ static int mk_wcwidth(wchar_t ucs)
 
 static int mk_wcswidth(const wchar_t *pwcs, size_t n)
 {
-    int w, width = 0;
-
-    for (; *pwcs && n-- > 0; pwcs++)
-        if ((w = mk_wcwidth(*pwcs)) < 0)
-            return -1;
-        else
-            width += w;
+    int width = 0;
+    for (size_t i=0; i < n; i++)
+    {
+        if (pwcs[i] == L'\0')
+            break;
 
+        int w = mk_wcwidth(pwcs[i]);
+        if (w < 0)
+        {
+            width = -1;
+            break;
+        }
+        width += w;
+    }
     return width;
 }
 
diff --git a/parse_util.cpp b/parse_util.cpp
index 2f95a3e25..5d8a1b1d0 100644
--- a/parse_util.cpp
+++ b/parse_util.cpp
@@ -260,8 +260,7 @@ void parse_util_cmdsubst_extent(const wchar_t *buff, size_t cursor_pos, const wc
             /* No subshell found, all done */
             break;
         }
-        
-        /* Intrepret NULL to mean the end */
+        /* Interpret NULL to mean the end */
         if (end == NULL)
         {
             end = const_cast<wchar_t *>(buff) + bufflen;
@@ -273,6 +272,9 @@ void parse_util_cmdsubst_extent(const wchar_t *buff, size_t cursor_pos, const wc
             begin++;
             ap = begin;
             bp = end;
+            /* pos is where to begin looking for the next one. But if we reached the end there's no next one. */
+            if (begin >= end)
+                break;
             pos = begin + 1;
         }
         else if (begin >= cursor)