https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1010355

CVE: CVE-2022-0529
Upstream-Status: Inactive-Upstream [need a new release]

diff --git a/process.c b/process.c
index d2a846e..99b9c7b 100644
--- a/process.c
+++ b/process.c
@@ -2507,13 +2507,15 @@ char *wide_to_local_string(wide_string, escape_all)
   char buf[9];
   char *buffer = NULL;
   char *local_string = NULL;
+  size_t buffer_size;
 
   for (wsize = 0; wide_string[wsize]; wsize++) ;
 
   if (max_bytes < MAX_ESCAPE_BYTES)
     max_bytes = MAX_ESCAPE_BYTES;
 
-  if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
+  buffer_size = wsize * max_bytes + 1;
+  if ((buffer = (char *)malloc(buffer_size)) == NULL) {
     return NULL;
   }
 
@@ -2552,7 +2554,11 @@ char *wide_to_local_string(wide_string, escape_all)
       /* no MB for this wide */
         /* use escape for wide character */
         char *escape_string = wide_to_escape_string(wide_string[i]);
-        strcat(buffer, escape_string);
+        size_t buffer_len = strlen(buffer);
+        size_t escape_string_len = strlen(escape_string);
+        if (buffer_len + escape_string_len + 1 > buffer_size)
+          escape_string_len = buffer_size - buffer_len - 1;
+        strncat(buffer, escape_string, escape_string_len);
         free(escape_string);
     }
   }