Fix buffer overflow in CR/LF conversion.

An already present CR/LF combination causes us to jump two characters,
but we failed to update the length counter when doing this.

This also makes sure we handle the corner case of a CR as the last
character.

Note: porting Pierre Ossman's commit (svn r11873) to branch-1.3-porting.


git-svn-id: file:///fltk/svn/fltk/branches/branch-1.3-porting@11913 ea41ed52-d2ee-0310-a9c1-e6b18d33e121

1 files changed, 6 insertions, 6 deletions

diff --git a/src/Fl_win32.cxx b/src/Fl_win32.cxx
index ba68ec0ac..13ae5c459 100644
--- a/src/Fl_win32.cxx
+++ b/src/Fl_win32.cxx
@@ -581,9 +581,9 @@ public:
     char *o;
     int lencount;
     // Predict size of \r\n conversion buffer
-    for ( i=in, lencount = inlen; lencount--; ) {
-      if ( *i == '\r' && *(i+1) == '\n' )	// leave \r\n untranslated
-	{ i+=2; outlen+=2; }
+    for (i = in, lencount = inlen; lencount > 0; lencount--) {
+      if ( *i == '\r' && *(i+1) == '\n' && lencount >= 2 )	// leave \r\n untranslated
+	{ i+=2; outlen+=2; lencount--; }
       else if ( *i == '\n' )			// \n by itself? leave room to insert \r
 	{ i++; outlen+=2; }
       else
@@ -592,9 +592,9 @@ public:
     // Alloc conversion buffer + NULL
     out = new char[outlen+1];
     // Handle \n -> \r\n conversion
-    for ( i=in, o=out, lencount = inlen; lencount--; ) {
-      if ( *i == '\r' && *(i+1) == '\n' )	// leave \r\n untranslated
-        { *o++ = *i++; *o++ = *i++; }
+    for (i = in, o=out, lencount = inlen; lencount > 0; lencount--) {
+      if ( *i == '\r' && *(i+1) == '\n' && lencount >= 2 )	// leave \r\n untranslated
+        { *o++ = *i++; *o++ = *i++; lencount--; }
       else if ( *i == '\n' )			// \n by itself? insert \r
         { *o++ = '\r'; *o++ = *i++; }
       else