f8b7740e1898ae4a2ad289ef043a541c4179e0ae
angie
  Fri Sep 30 12:05:55 2016 -0700
Expand vaHtmlSafefNoAbort's newFormatSize 3x instead of 2x to prevent uncaught overflow on format strings composed mostly of %s's, since 3 bytes are added for every %s (two bytes expand to five bytes).

diff --git src/lib/htmshell.c src/lib/htmshell.c
index 894646c..b24dad6 100644
--- src/lib/htmshell.c
+++ src/lib/htmshell.c
@@ -1245,31 +1245,31 @@
 *pI = i - 1;
 return enc;
 }
 
 
 int vaHtmlSafefNoAbort(char* buffer, int bufSize, char *format, va_list args, boolean noAbort, boolean noWarnOverflow)
 /* VarArgs Format string to buffer, vsprintf style, only with buffer overflow
  * checking.  The resulting string is always terminated with zero byte.
  * Automatically escapes string values.
  * Returns count of bytes written or -1 for overflow or -2 for other errors.
  * This function should be efficient on statements with many strings to be escaped. */
 {
 int formatLen = strlen(format);
 
 char *newFormat = NULL;
-int newFormatSize = 2*formatLen + 1;
+int newFormatSize = 3*formatLen + 1;
 newFormat = needMem(newFormatSize);
 char *nf = newFormat;
 char *lastPct = NULL;
 int escStringsCount = 0;
 
 char c = 0;
 int i = 0;
 boolean inPct = FALSE;
 while (i < formatLen)
     {
     c = format[i];
     *nf++ = c;
     if (c == '%' && !inPct)
 	{
 	inPct = TRUE;