From fb81421fc7eab4f92177c37f8a6b21ee7e1532d3 Mon Sep 17 00:00:00 2001
From: Simon Arlott <sa.me.uk>
Date: Thu, 27 Jul 2017 12:58:23 +0100
Subject: [PATCH] ircd: substitution: fix NULL termination buffer overrun when
 the output is too large for the buffer

---
 ircd/substitution.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ircd/substitution.c b/ircd/substitution.c
index 4396c2b1..63d5f2f2 100644
--- a/ircd/substitution.c
+++ b/ircd/substitution.c
@@ -140,8 +140,11 @@ char *substitution_parse(const char *fmt, rb_dlink_list *varlist)
 
 				if (!rb_strcasecmp(varname, val->name))
 				{
-					rb_strlcpy(bptr, val->value, BUFSIZE - (bptr - buf));
+					rb_strlcpy(bptr, val->value, sizeof(buf) - (bptr - buf));
 					bptr += strlen(val->value);
+					if (bptr >= &buf[sizeof(buf)]) {
+						bptr = &buf[sizeof(buf) - 1];
+					}
 					break;
 				}
 			}