From ce20a8e9bed820bf82da820b5c22ff365f73bca9 Mon Sep 17 00:00:00 2001
From: "Tim J. Robbins" <tjr@FreeBSD.org>
Date: Sun, 2 Nov 2003 23:20:24 +0000
Subject: [PATCH] Change the buffer length test in NEEDSP() so that it does not
 subtract one unsigned number from another potentially smaller one, leading to
 wraparound (and heap corruption, eventually).

PR:		58813
MFC after:	2 weeks
---
 usr.bin/sed/process.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/usr.bin/sed/process.c b/usr.bin/sed/process.c
index d0fac865bad8..93019b41513a 100644
--- a/usr.bin/sed/process.c
+++ b/usr.bin/sed/process.c
@@ -557,7 +557,8 @@ regsub(sp, string, src)
 	char c, *dst;
 
 #define	NEEDSP(reqlen)							\
-	if (sp->len >= sp->blen - (reqlen) - 1) {			\
+	/* XXX What is the +1 for? */					\
+	if (sp->len + (reqlen) + 1 >= sp->blen) {			\
 		sp->blen += (reqlen) + 1024;				\
 		if ((sp->space = sp->back = realloc(sp->back, sp->blen)) \
 		    == NULL)						\