From be1d87492e2fba479151edcaf7f3818675b1eac7 Mon Sep 17 00:00:00 2001
From: Eli Zaretskii <eliz@gnu.org>
Date: Sat, 6 Feb 2016 18:30:35 +0200
Subject: [PATCH] Fix issues found by auditing w32notify code

* src/w32inevt.c (handle_file_notifications): Count the number of
events to be returned.
* src/w32notify.c (send_notifications): Don't copy to the file
notification buffer more than it can hold.  (Bug#22534)
---
 src/w32inevt.c  | 1 +
 src/w32notify.c | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/w32inevt.c b/src/w32inevt.c
index 54b0b13f54e..e714e27f4bc 100644
--- a/src/w32inevt.c
+++ b/src/w32inevt.c
@@ -660,6 +660,7 @@ handle_file_notifications (struct input_event *hold_quit)
 	      inev.arg = list3 (make_pointer_integer (notifications_desc),
 				action, fname);
 	      kbd_buffer_store_event_hold (&inev, hold_quit);
+	      nevents++;
 
 	      if (!fni->NextEntryOffset)
 		break;
diff --git a/src/w32notify.c b/src/w32notify.c
index 576cf844dab..71787c45db8 100644
--- a/src/w32notify.c
+++ b/src/w32notify.c
@@ -144,8 +144,9 @@ send_notifications (BYTE *info, DWORD info_size, void *desc,
       if (!notification_buffer_in_use)
 	{
 	  if (info_size)
-	    memcpy (file_notifications, info, info_size);
-	  notifications_size = info_size;
+	    memcpy (file_notifications, info,
+		    min (info_size, sizeof (file_notifications)));
+	  notifications_size = min (info_size, sizeof (file_notifications));
 	  notifications_desc = desc;
 	  /* If PostMessage fails, the message queue is full.  If that
 	     happens, the last thing they will worry about is file
-- 
2.39.2