From ebc3b25409dd614c1814a0643960452683e37aa3 Mon Sep 17 00:00:00 2001
From: Alan Third <alan@idiocy.org>
Date: Sat, 13 Mar 2021 21:59:59 +0000
Subject: [PATCH] Fix buffer overflow in xbm_scan (bug#47094)

* src/image.c (xbm_scan): Ensure reading a string doesn't overflow the
buffer.
---
 src/image.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/image.c b/src/image.c
index 6d493f6cdd4..b85418c690d 100644
--- a/src/image.c
+++ b/src/image.c
@@ -3392,6 +3392,7 @@ static int
 xbm_scan (char **s, char *end, char *sval, int *ival)
 {
   unsigned char c UNINIT;
+  char *sval_end = sval + BUFSIZ;
 
  loop:
 
@@ -3451,7 +3452,7 @@ xbm_scan (char **s, char *end, char *sval, int *ival)
   else if (c_isalpha (c) || c == '_')
     {
       *sval++ = c;
-      while (*s < end
+      while (*s < end && sval < sval_end
 	     && (c = *(*s)++, (c_isalnum (c) || c == '_')))
 	*sval++ = c;
       *sval = 0;
-- 
2.39.2