From 8b66dfc860374555d7c85700a84f10fb86a20140 Mon Sep 17 00:00:00 2001
From: Tobias Doerffel <tobias.doerffel@gmail.com>
Date: Sun, 20 May 2012 18:55:30 +0200
Subject: [PATCH] ZynAddSubFX: fixed possible buffer overflow

bankdir could be overflowed in the strncat function since the length
limit is not correctly specified.

Closes #3510466.
---
 plugins/zynaddsubfx/src/Misc/Bank.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/plugins/zynaddsubfx/src/Misc/Bank.cpp b/plugins/zynaddsubfx/src/Misc/Bank.cpp
index 256184736..246a4098a 100644
--- a/plugins/zynaddsubfx/src/Misc/Bank.cpp
+++ b/plugins/zynaddsubfx/src/Misc/Bank.cpp
@@ -337,9 +337,9 @@ int Bank::newbank(const char *newbankdirname)
 
     if(((bankdir[strlen(bankdir) - 1]) != '/')
        && ((bankdir[strlen(bankdir) - 1]) != '\\'))
-        strncat(bankdir, "/", MAX_STRING_SIZE);
+        strncat(bankdir, "/", MAX_STRING_SIZE - strlen(bankdir) - 1 );
     ;
-    strncat(bankdir, newbankdirname, MAX_STRING_SIZE);
+    strncat(bankdir, newbankdirname, MAX_STRING_SIZE - strlen(bankdir) - 1);
 #ifdef OS_WINDOWS
     result = mkdir(bankdir);
 #else