From 662578dbe79da90ff3f97ac2371b48100358ab61 Mon Sep 17 00:00:00 2001
From: ThorstenB <brehmt@gmail.com>
Date: Sat, 23 Oct 2010 14:47:24 +0200
Subject: [PATCH] Buffer size safety. Do not look for '\n' beyond valid data
 area. Obey buffer length (in case a METAR contained a line > 512byte).

---
 simgear/io/sg_socket.cxx | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/simgear/io/sg_socket.cxx b/simgear/io/sg_socket.cxx
index 636ff345..770bb51d 100644
--- a/simgear/io/sg_socket.cxx
+++ b/simgear/io/sg_socket.cxx
@@ -296,7 +296,7 @@ SGSocket::readline( char *buf, int length )
     int i;
     for ( i = 0; i < save_len && save_buf[i] != '\n'; ++i )
 	;
-    if ( save_buf[i] == '\n' ) {
+    if (( i < save_len ) && ( save_buf[i] == '\n' )) {
 	result = i + 1;
     } else {
 	// no end of line yet
@@ -305,9 +305,16 @@ SGSocket::readline( char *buf, int length )
 
     // we found an end of line
 
+    // check buffer size
+    int copy_length = result;
+    if (copy_length >= length) {
+	SG_LOG( SG_IO, SG_ALERT, 
+	        "Alert: readline() has line exceeding the buffer size." );
+	copy_length = length-1;
+    }
     // copy to external buffer
-    strncpy( buf, save_buf, result );
-    buf[result] = '\0';
+    strncpy( buf, save_buf, copy_length );
+    buf[copy_length] = '\0';
 
     // shift save buffer
     //memmove( save_buf+, save_buf+, ? );
-- 
2.39.5