Fix buffer overflow in string_vformat. Bug 2449

[exim.git] / src / src / string.c

diff --git a/src/src/string.c b/src/src/string.c
index c6549bf933ebcd796a31ece61d8cb5f861de637b..3445f8a42ebe678266ae26c2255bc611b47986e6 100644 (file)
--- a/src/src/string.c
+++ b/src/src/string.c
@@ -1132,7 +1132,7 @@ store_reset(g->s + (g->size = g->ptr + 1));
 Arguments:
   g            the growable-string
   p            current end of data
-  count                amount to grow by
+  count                amount to grow by, offset from p
 */
 
 static void
@@ -1590,7 +1590,7 @@ while (*fp)
        }
       else if (g->ptr >= lim - width)
        {
-       gstring_grow(g, g->ptr, width - (lim - g->ptr));
+       gstring_grow(g, g->ptr, width);
        lim = g->size - 1;
        gp = CS g->s + g->ptr;
        }