From 54cd853a49659a5ec5995bc538d7d3b051da9dfb Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Tue, 2 Jul 2019 21:22:01 +0100
Subject: [PATCH] Fix buffer overrun on keypress in non-UTF-8 sessions.

Commit 71e42b04a's refactoring of terminal keyboard input, in the case
where a Unicode string derived from a keystroke is translated into
some other charset to put on the wire, had allocated the output buffer
for that translation one byte too small.
---
 terminal.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/terminal.c b/terminal.c
index dd123d21..968bc12d 100644
--- a/terminal.c
+++ b/terminal.c
@@ -2991,11 +2991,13 @@ static strbuf *term_input_data_from_unicode(
          * Since the terminal doesn't currently support any multibyte
          * character set other than UTF-8, we can assume here that
          * there will be at most one output byte per input wchar_t.
+         * (But also we must allow space for the trailing NUL that
+         * wc_to_mb will write.)
          */
-        char *bufptr = strbuf_append(buf, len);
+        char *bufptr = strbuf_append(buf, len + 1);
         int rv;
         rv = wc_to_mb(term->ucsdata->line_codepage, 0, widebuf, len,
-                      bufptr, len, NULL, term->ucsdata);
+                      bufptr, len + 1, NULL, term->ucsdata);
         buf->len = rv < 0 ? 0 : rv;
     }