From 9e3bf9df5d98e9f047e457f47017a3f4d076f2dc Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed, 23 Sep 2009 14:20:45 +0200
Subject: [PATCH] fix buffer overflow in textbox when reflowing (CVE-2009-2905)

---
 textbox.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/textbox.c b/textbox.c
index c9dd88d..ec75446 100644
--- a/textbox.c
+++ b/textbox.c
@@ -175,7 +175,7 @@ static void doReflow(const char * text, char ** resultPtr, int width,
 
     if (resultPtr) {
 	/* XXX I think this will work */
-	result = malloc(strlen(text) + (strlen(text) / width) + 2);
+	result = malloc(strlen(text) + (strlen(text) / (width - 1)) + 2);
 	*result = '\0';
     }
 	
-- 
2.47.2