From 35974ee46dfec8a09e7b0f663ca6fbb25e82c280 Mon Sep 17 00:00:00 2001
From: Bram Matthys <syzop@vulnscan.org>
Date: Mon, 6 Apr 2026 08:36:07 +0200
Subject: [PATCH] Fix silly missing bufsize-- in xmlescape(). Not exploitable.
 This XML code is only used for DroneBL submission with no user- controlled
 variables (except $ip). Still, silly mistake to make and who knows what other
 XML stuff will happen in the future.

---
 src/support.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/support.c b/src/support.c
index 5f09c7b2e..292d5c3b2 100644
--- a/src/support.c
+++ b/src/support.c
@@ -1376,6 +1376,7 @@ char *xmlescape(const char *i, char *buf, int bufsize)
 				break;
 			strcpy(o, "&quot;");
 			o += 6;
+			bufsize -= 6;
 		} else
 		if (*i == '\'')
 		{
@@ -1383,6 +1384,7 @@ char *xmlescape(const char *i, char *buf, int bufsize)
 				break;
 			strcpy(o, "&apos;");
 			o += 6;
+			bufsize -= 6;
 		} else
 		if (*i == '<')
 		{
@@ -1390,6 +1392,7 @@ char *xmlescape(const char *i, char *buf, int bufsize)
 				break;
 			strcpy(o, "&lt;");
 			o += 4;
+			bufsize -= 4;
 		} else
 		if (*i == '>')
 		{
@@ -1397,6 +1400,7 @@ char *xmlescape(const char *i, char *buf, int bufsize)
 				break;
 			strcpy(o, "&gt;");
 			o += 4;
+			bufsize -= 4;
 		} else
 		if (*i == '&')
 		{
@@ -1404,11 +1408,13 @@ char *xmlescape(const char *i, char *buf, int bufsize)
 				break;
 			strcpy(o, "&amp;");
 			o += 5;
+			bufsize -= 5;
 		} else
 		{
 			if (bufsize <= 1)
 				break;
 			*o++ = *i;
+			bufsize--;
 		}
 	}