[Release b]
<t4m_bug_bfprintf>
Mon Jun  7 11:15:37 WEST 2004

The function bfprintf [../utility/buffer.c] suffers from a buffer overrun.
It tries to put characters into a buffer without testing whether there is space
for them. I have observed heap corruption while fixing other bugs (because of
long debugging messages), but this time I don't have any specific example,
since in normal circumstances error messages are relatively short.

The fix consists of just adding a call to the function stretch_buffer
[../utility/buffer.c] before inserting the character into the buffer. Here is
a diff, lines marked with '+' have been added,

*** buffer.c1 Sat Jan 17 15:55:40 1998
--- buffer.c Mon Jun  7 11:08:00 2004
***************
*** 222,227 ****
--- 222,228 ----
  		case 'c' : {
  		    /* '%c' -> character (passed as int) */
  		    int ac = va_arg ( args, int ) ;
+ 		    p = stretch_buffer ( bf, p, 1 ) ;
  		    *( p++ ) = ( character ) ac ;
  		    break ;
  		}
***************
*** 277,282 ****
--- 278,284 ----
  		}
  		case '%' : {
  		    /* '%%' -> percent */
+ 		    p = stretch_buffer ( bf, p, 1 ) ;
  		    *( p++ ) = ( character ) c ;
  		    break ;
  		}
***************
*** 288,293 ****
--- 290,296 ----
  		}
  	    }
  	} else {
+ 	    p = stretch_buffer ( bf, p, 1 ) ;
  	    *( p++ ) = ( character ) c ;
  	}
      }