From 66c6fdd52e4e5d4b9a1133bf2c57444b8a6b0048 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Mon, 29 Aug 2011 08:56:20 -0700
Subject: [PATCH] * emacs.c (main) [NS_IMPL_COCOA]: Don't overrun buffer

when creating daemon; the previous buffer-overflow check was incorrect.
---
 src/ChangeLog | 3 +++
 src/emacs.c   | 8 +++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index afd78a46c6e..e918fa46a2b 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -30,6 +30,9 @@
 	even if the time zone offset is outlandishly large.
 	Don't mishandle offset == INT_MIN.
 
+	* emacs.c (main) [NS_IMPL_COCOA]: Don't overrun buffer
+	when creating daemon; the previous buffer-overflow check was incorrect.
+
 2011-08-26  Paul Eggert  <eggert@cs.ucla.edu>
 
 	Integer and memory overflow issues (Bug#9196).
diff --git a/src/emacs.c b/src/emacs.c
index 7039f063dc2..2c6af6b5431 100644
--- a/src/emacs.c
+++ b/src/emacs.c
@@ -1068,15 +1068,17 @@ Using an Emacs configured with --with-x-toolkit=lucid does not have this problem
         if (!dname_arg || !strchr (dname_arg, '\n'))
           {  /* In orig, child: now exec w/special daemon name. */
             char fdStr[80];
+	    int fdStrlen =
+	      snprintf (fdStr, sizeof fdStr,
+			"--daemon=\n%d,%d\n%s", daemon_pipe[0],
+			daemon_pipe[1], dname_arg ? dname_arg : "");
 
-            if (dname_arg && strlen (dname_arg) > 70)
+	    if (! (0 <= fdStrlen && fdStrlen < sizeof fdStr))
               {
                 fprintf (stderr, "daemon: child name too long\n");
                 exit (1);
               }
 
-            sprintf (fdStr, "--daemon=\n%d,%d\n%s", daemon_pipe[0],
-                     daemon_pipe[1], dname_arg ? dname_arg : "");
             argv[skip_args] = fdStr;
 
             execv (argv[0], argv);
-- 
2.39.2