From e00b9e9e3f13929b36952703d64e3930d710a220 Mon Sep 17 00:00:00 2001
From: "Ryan C. Gordon" <icculus@icculus.org>
Date: Mon, 12 Oct 2009 05:56:10 +0000
Subject: [PATCH] Make sure error messages can't overflow a buffer.

  Fixes Bugzilla #840.
---
 timidity/config.h   | 2 ++
 timidity/sdl_c.c    | 2 +-
 timidity/timidity.c | 3 ++-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/timidity/config.h b/timidity/config.h
index 0ff0dbdc..ace589b3 100644
--- a/timidity/config.h
+++ b/timidity/config.h
@@ -22,6 +22,8 @@
 #include "SDL_config.h"
 #include "SDL_endian.h"
 
+#define TIMIDITY_ERROR_SIZE 1024
+
 /* When a patch file can't be opened, one of these extensions is
    appended to the filename and the open is tried again.
  */
diff --git a/timidity/sdl_c.c b/timidity/sdl_c.c
index a9d86002..b576ced6 100644
--- a/timidity/sdl_c.c
+++ b/timidity/sdl_c.c
@@ -115,7 +115,7 @@ static int cmsg(int type, int verbosity_level, char *fmt, ...)
       ctl.verbosity<verbosity_level)
     return 0;
   va_start(ap, fmt);
-  vsprintf(timidity_error, fmt, ap);
+  SDL_vsnprintf(timidity_error, TIMIDITY_ERROR_SIZE, fmt, ap);
   va_end(ap);
   return 0;
 #endif
diff --git a/timidity/timidity.c b/timidity/timidity.c
index b8f592a3..1dea30ca 100644
--- a/timidity/timidity.c
+++ b/timidity/timidity.c
@@ -367,8 +367,9 @@ int Timidity_Init(int rate, int format, int channels, int samples)
   return(0);
 }
 
-char timidity_error[1024] = "";
+char timidity_error[TIMIDITY_ERROR_SIZE] = "";
 const char *Timidity_Error(void)
 {
   return(timidity_error);
 }
+