From 5578bd8c991bd987dbf63ea87d5588e50fb410c3 Mon Sep 17 00:00:00 2001
From: Colin Percival <cperciva@FreeBSD.org>
Date: Mon, 18 Oct 2004 15:40:47 +0000
Subject: [PATCH] Modify behaviour of `xargs -I` in order to: 1. Conform to
 IEEE Std 1003.1-2004, which state that "Constructed arguments cannot grow
 larger than 255 bytes", and 2. Avoid a buffer overflow.

Unfortunately the standard doesn't indicate how xargs is supposed to
handle arguments which (with the appropriate substitutions) would grow
larger than 255 bytes; this solution handles those by making as many
substitutions as possible without overflowing the buffer.

OpenBSD's xargs resolves this in a different direction, by making
all the substitutions and then silently truncating the resulting string.

Since this change may break existing scripts which rely upon the buffer
overflow (255 bytes isn't really all that long...) it will not be MFCed.
---
 usr.bin/xargs/strnsubst.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/usr.bin/xargs/strnsubst.c b/usr.bin/xargs/strnsubst.c
index fc00ea0db32..82868ffc3d8 100644
--- a/usr.bin/xargs/strnsubst.c
+++ b/usr.bin/xargs/strnsubst.c
@@ -52,8 +52,8 @@ strnsubst(char **str, const char *match, const char *replstr, size_t maxsize)
 		this = strstr(s1, match);
 		if (this == NULL)
 			break;
-		if ((strlen(s2) + ((uintptr_t)this - (uintptr_t)s1) +
-		    (strlen(replstr) - 1)) > maxsize && *replstr != '\0') {
+		if ((strlen(s2) + strlen(s1) + strlen(replstr) -
+		    strlen(match) + 1) > maxsize) {
 			strlcat(s2, s1, maxsize);
 			goto done;
 		}