Make sure to leave room for trailing nil byte in yyGetNumber

...though really, by the time you've added 1023 digits to the number
you want to parse, you've got much bigger problems than an off-by-one
error in your buffer count.

Fixes parfait warnings:
   Buffer overflow (CWE 120): In array dereference of (*buf)[nInBuf] with index 'nInBuf'
      Array size is 1024 bytes, nInBuf >= 1 and nInBuf <= 1024
        at line 625 of xkbscan.c in function 'yyGetNumber'.
   Buffer overflow (CWE 120): In array dereference of (*buf)[nInBuf] with index 'nInBuf'
      Array size is 1024 bytes, nInBuf <= 1025
        at line 632 of xkbscan.c in function 'yyGetNumber'.

[ This bug was found by the Parfait 0.4.2 bug checking tool.
  For more information see http://labs.oracle.com/projects/parfait/ ]

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

1 files changed, 3 insertions, 3 deletions

diff --git a/xkbscan.c b/xkbscan.c
index 814a123..22a034f 100644
--- a/xkbscan.c
+++ b/xkbscan.c
@@ -615,16 +615,16 @@ yyGetNumber(int ch)
     nInBuf = 1;
     while (((ch = scanchar()) != EOF)
            && (isxdigit(ch) || ((nInBuf == 1) && (ch == 'x')))
-           && nInBuf < nMaxBuffSize)
+           && nInBuf < (nMaxBuffSize - 1))
     {
         buf[nInBuf++] = ch;
     }
-    if (ch == '.')
+    if ((ch == '.') && (nInBuf < (nMaxBuffSize - 1)))
     {
         isFloat = 1;
         buf[nInBuf++] = ch;
         while (((ch = scanchar()) != EOF) && (isxdigit(ch))
-               && nInBuf < nMaxBuffSize)
+               && nInBuf < (nMaxBuffSize - 1))
         {
             buf[nInBuf++] = ch;
         }