From 50557a4f633810caa9ccf7841957a57f3e7c7d60 Mon Sep 17 00:00:00 2001
From: Adam Majer <amajer@suse.de>
Date: Tue, 2 Aug 2016 11:10:45 +0200
Subject: [PATCH] Fix static buffer overrrun (issue #443)

result[6] is a fixed array of size 6, but in the process
of copying data into it, we clobber the last allocated byte.

Simplify some of the code by not calling redundant functions.
---
 src/language.c | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/src/language.c b/src/language.c
index 4e0b98ebd..c67d79407 100644
--- a/src/language.c
+++ b/src/language.c
@@ -601,7 +601,6 @@ tmbstr tidyNormalizedLocaleName( ctmbstr locale )
     uint i;
     uint len;
     static char result[6] = "xx_yy";
-    char character[1];
     tmbstr search = strdup(locale);
     search = TY_(tmbstrtolower)(search);
     
@@ -622,27 +621,28 @@ tmbstr tidyNormalizedLocaleName( ctmbstr locale )
      junk language that doesn't exist and won't be set. */
     
     len = strlen( search );
-    len = len <= 5 ? len : 5;
+    len = ( len <= 5 ? len : 5 );
     
-    for ( i = 0; i <= len; i++ )
+    for ( i = 0; i < len; i++ )
     {
         if ( i == 2 )
         {
             /* Either terminate the string or ensure there's an underscore */
-            if (strlen( search) >= 5)
-                character[0] = '_';
-            else
-                character[0] = '\0';
-            strncpy( result + i, character, 1 );
+            if (len == 5) {
+                result[i] = '_';
+            }
+            else {
+                result[i] = '\0';
+                break;      /* no need to copy after null */
+            }
         }
         else
         {
-            strncpy( result + i, search + i, 1);
-            result[i] = tolower( result[i] );
+            result[i] = tolower( search[i] );
         }
     }
     
-    if ( search ) free( search );
+    free( search );
     return result;
 }