From c26b8accb4b242991e4aae444a6799576a36783d Mon Sep 17 00:00:00 2001
From: Andrey Borzenkov <bor@users.sourceforge.net>
Date: Thu, 18 Aug 2005 18:15:44 +0000
Subject: [PATCH] 21663: check for string overflow

---
 ChangeLog          | 5 +++++
 Src/Zle/complete.c | 9 +++++----
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 656aa40f2..8db9a7d6e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2005-08-18  Andrey Borzenkov  <bor@zsh.org>
+
+	* 21663: Src/Zle/complete.c: check for string overflow
+	in do_comp_vars()
+
 2005-08-18  Peter Stephenson  <pws@csr.com>
 
 	* unposted: Doc/Zsh/contrib.yo, Functions/Zle/insert-unicode-char:
diff --git a/Src/Zle/complete.c b/Src/Zle/complete.c
index b8db18b1f..e246e2b8a 100644
--- a/Src/Zle/complete.c
+++ b/Src/Zle/complete.c
@@ -821,6 +821,8 @@ do_comp_vars(int test, int na, char *sa, int nb, char *sb, int mod)
 		    add = -1;
 		} else {
 		    p = compprefix + 1 + (*compprefix == Meta);
+		    if (p > compprefix + l)
+			p = compprefix + l;
 		    add = 1;
 		}
 		for (;;) {
@@ -833,10 +835,9 @@ do_comp_vars(int test, int na, char *sa, int nb, char *sb, int mod)
 		    if (add > 0) {
 			if (p == compprefix + l)
 			    return 0;
-			if (*p == Meta)
-			    p += 2;
-			else
-			    p++;
+			p = p + 1 + (*p == Meta);
+			if (p > compprefix + l)
+			    p = compprefix + l;
 		    } else {
 			if (p == compprefix)
 			    return 0;