From 3d1d2f5acc1b041951952e43a52dc92448c93e0c Mon Sep 17 00:00:00 2001
From: Volker Ruppert <Volker.Ruppert@t-online.de>
Date: Wed, 30 Apr 2014 16:26:22 +0000
Subject: [PATCH] Fixed possible buffer overflow caused by environment variable
 expansion.

---
 bochs/config.cc | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/bochs/config.cc b/bochs/config.cc
index e65307531..51f15270d 100644
--- a/bochs/config.cc
+++ b/bochs/config.cc
@@ -1879,21 +1879,33 @@ static int parse_line_unformatted(const char *context, char *line)
           *pv = 0;
           if (strlen(varname)<1 || !(value = getenv(varname))) {
             if ((value = get_builtin_variable(varname))) {
+              if ((string_i + strlen(value)) < 512) {
+                // append value to the string
+                for (pv=(char *)value; *pv; pv++)
+                    string[string_i++] = *pv;
+              } else {
+                BX_PANIC(("parse_line_unformatted(): out of memory"));
+              }
+            } else {
+              BX_PANIC(("could not look up environment variable '%s'", varname));
+            }
+          } else {
+            if ((string_i + strlen(value)) < 512) {
               // append value to the string
               for (pv=(char *)value; *pv; pv++)
                   string[string_i++] = *pv;
             } else {
-              BX_PANIC (("could not look up environment variable '%s'", varname));
+              BX_PANIC(("parse_line_unformatted(): out of memory"));
             }
-          } else {
-            // append value to the string
-            for (pv=(char *)value; *pv; pv++)
-                string[string_i++] = *pv;
           }
         }
 #endif
         if (!isspace(ptr[i]) || inquotes) {
-          string[string_i++] = ptr[i];
+          if (string_i < 511) {
+            string[string_i++] = ptr[i];
+          } else {
+            BX_PANIC(("parse_line_unformatted(): out of memory"));
+          }
         }
       }
     }