From acb85bc034fee045765cabd59bbb28296dacc6e6 Mon Sep 17 00:00:00 2001
From: "Tim J. Robbins" <tjr@FreeBSD.org>
Date: Sat, 11 Oct 2003 07:35:35 +0000
Subject: [PATCH] Fix a BSS buffer overflow caused by makeargv() writing past
 the end of margv[] when an input line contains 20 or more space-separated
 words.

---
 usr.sbin/timed/timedc/timedc.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/usr.sbin/timed/timedc/timedc.c b/usr.sbin/timed/timedc/timedc.c
index f8138c39597..368b460513a 100644
--- a/usr.sbin/timed/timedc/timedc.c
+++ b/usr.sbin/timed/timedc/timedc.c
@@ -59,7 +59,8 @@ int trace = 0;
 FILE *fd = 0;
 int	margc;
 int	fromatty;
-char	*margv[20];
+#define	MAX_MARGV	20
+char	*margv[MAX_MARGV];
 char	cmdline[200];
 jmp_buf	toplevel;
 static struct cmd *getcmd __P((char *));
@@ -183,7 +184,7 @@ makeargv()
 	register char **argp = margv;
 
 	margc = 0;
-	for (cp = cmdline; *cp;) {
+	for (cp = cmdline; margc < MAX_MARGV - 1 && *cp; ) {
 		while (isspace(*cp))
 			cp++;
 		if (*cp == '\0')