2 files changed, 13 insertions, 7 deletions

diff --git a/ChangeLog b/ChangeLog
index 94c3da836..91bc7450a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 2006-03-10  Alan Coopersmith  <alan.coopersmith@sun.com>
 
+	* hw/xfree86/utils/xorgcfg/help.c: 
+	Fix buffer size checks to prevent 2-byte buffer overflows.
+	(Coverity #480, #481, #482, #483)
+
+2006-03-10  Alan Coopersmith  <alan.coopersmith@sun.com>
+	
 	* configure.ac: 
 	* include/dix-config.h.in: 
 	Add HAS_MMAP for Xvfb
diff --git a/hw/xfree86/utils/xorgcfg/help.c b/hw/xfree86/utils/xorgcfg/help.c
index e13b9924e..c6bfcbad2 100644
--- a/hw/xfree86/utils/xorgcfg/help.c
+++ b/hw/xfree86/utils/xorgcfg/help.c
@@ -820,7 +820,7 @@ Html_ParseTag(Html_Parser *parser)
 	    (void)Html_Get(parser);			/* eat `/' */
 	    sz = 0;
 	    while (isalnum(Html_Peek(parser)) &&
-		   sz <= sizeof(buf) + 1)
+		   ((sz + 1) < sizeof(buf)))
 		buf[sz++] = tolower(Html_Get(parser));
 	    buf[sz] = '\0';
 	    if ((info = Html_GetInfo(buf)) != NULL) {
@@ -854,7 +854,7 @@ Html_ParseTag(Html_Parser *parser)
 	default:
 	    sz = 0;
 	    while (isalnum(Html_Peek(parser)) &&
-		   sz <= sizeof(buf) + 1)
+		   ((sz + 1) < sizeof(buf)))
 		buf[sz++] = tolower(Html_Get(parser));
 	    buf[sz] = '\0';
 	    if ((info = Html_GetInfo(buf)) != NULL) {
@@ -1020,7 +1020,7 @@ Html_Parse1(Html_Parser *parser)
 	    while ((ch = Html_Peek(parser)) != ';'
 		   && ch != EOF && !isspace(ch)) {
 		ch = Html_Get(parser);
-		if (sz + 1 <= sizeof(buf))
+		if (sz + 1 < sizeof(buf))
 		    buf[sz++] = ch;
 	    }
 	    buf[sz] = '\0';
@@ -1273,7 +1273,7 @@ Html_FormatTag(Html_Parser *parser)
 	case '/':
 	    (void)Html_Get(parser);			/* eat `/' */
 	    while (isalnum(Html_Peek(parser)) &&
-		   sz <= sizeof(buf) + 1)
+		   ((sz + 1) < sizeof(buf)))
 		buf[sz++] = ch = tolower(Html_Get(parser));
 	    buf[sz] = '\0';
 	    if ((info = Html_GetInfo(buf)) != NULL && info->adnl) {
@@ -1315,7 +1315,7 @@ Html_FormatTag(Html_Parser *parser)
 	    break;
 	default:
 	    while (isalnum(Html_Peek(parser)) &&
-		   sz <= sizeof(buf) + 1)
+		   ((sz + 1) < sizeof(buf)))
 		buf[sz++] = tolower(Html_Get(parser));
 	    buf[sz] = '\0';
 	    if ((info = Html_GetInfo(buf)) != NULL && info->adnl) {
@@ -1625,7 +1625,7 @@ Html_FontArgs(Html_Parser *parser, Html_Item *item)
 	sz = 0;
 	name[sz++] = tolower(Html_Get(parser));
 	while ((ch = Html_Peek(parser)) != '>' && ch != EOF)
-	    if (isalnum(ch) && sz + 1 <= sizeof(name))
+	    if (isalnum(ch) && (sz + 1 < sizeof(name)))
 		name[sz++] = tolower(Html_Get(parser));
 	    else
 		break;
@@ -1639,7 +1639,7 @@ Html_FontArgs(Html_Parser *parser, Html_Item *item)
 
 	sz = 0;
 	while ((ch = Html_Peek(parser)) != '>' && ch != EOF) {
-	    if (!isspace(ch) && sz + 1 <= sizeof(value))
+	    if (!isspace(ch) && (sz + 1 < sizeof(value)))
 		value[sz++] = Html_Get(parser);
 	    else
 		break;