From a464de694f7a087b7effbde9890fdc144764491a Mon Sep 17 00:00:00 2001
From: imp <imp@FreeBSD.org>
Date: Mon, 24 Mar 1997 06:41:30 +0000
Subject: [PATCH] Don't overflow buffers, and only open alternative termcap
 files if we're not running setuid or setgid.

Fixes PR 2586

Submitted by:	Julian Assange
---
 lib/libtermcap/pathnames.h | 1 +
 lib/libtermcap/termcap.c   | 9 +++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/libtermcap/pathnames.h b/lib/libtermcap/pathnames.h
index db3ccf74f21c..e77bab81a0a2 100644
--- a/lib/libtermcap/pathnames.h
+++ b/lib/libtermcap/pathnames.h
@@ -34,3 +34,4 @@
  */
 
 #define	_PATH_DEF	".termcap /usr/share/misc/termcap"
+#define	_PATH_DEF_SEC	"/usr/share/misc/termcap"
diff --git a/lib/libtermcap/termcap.c b/lib/libtermcap/termcap.c
index 38cb1a22a80d..d8966ec0b1b6 100644
--- a/lib/libtermcap/termcap.c
+++ b/lib/libtermcap/termcap.c
@@ -105,8 +105,9 @@ tgetent(char *bp, const char *name)
 			strncpy(pathbuf, termpath, PBUFSIZ);
 		else {
 			if ( (home = getenv("HOME")) ) {/* set up default */
-				p += strlen(home);	/* path, looking in */
-				strcpy(pathbuf, home);	/* $HOME first */
+				strncpy(pathbuf, home, PBUFSIZ - 1); /* $HOME first */
+				pathbuf[PBUFSIZ - 2] = '\0'; /* -2 because we add a slash */
+				p += strlen(pathbuf);	/* path, looking in */
 				*p++ = '/';
 			}	/* if no $HOME look in current directory */
 			strncpy(p, _PATH_DEF, PBUFSIZ - (p - pathbuf));
@@ -114,7 +115,11 @@ tgetent(char *bp, const char *name)
 	}
 	else				/* user-defined name in TERMCAP */
 		strncpy(pathbuf, cp, PBUFSIZ);	/* still can be tokenized */
+	pathbuf[PBUFSIZ - 1] = '\0';
 
+	/* XXX Should really be issetguid(), but we don't have that */
+	if (getuid() != geteuid() || getgid() != getegid())
+		strcpy(pathbuf, _PATH_DEF_SEC);
 	*fname++ = pathbuf;	/* tokenize path into vector of names */
 	while (*++p)
 		if (*p == ' ' || *p == ':') {