Fix a segmentation fault in ncurses.

This is a backported patch [1] from ncurses-5.7-20100501. It takes begx
and begy values into account when calculating lengths, in order to avoid
writing data past the end of the buffer when calling memset in wredrawln().

From upstream NEWS file:

20100501
        + correct limit-check in wredrawln, accounting for begy/begx values
          (patch by David Benjamin).

[1] https://lists.gnu.org/archive/html/bug-ncurses/2010-04/msg00017.html

OK nicm@

1 files changed, 6 insertions, 6 deletions

diff --git a/lib/libcurses/base/lib_redrawln.c b/lib/libcurses/base/lib_redrawln.c
index d300a7c7ee0..e84667ca819 100644
--- a/lib/libcurses/base/lib_redrawln.c
+++ b/lib/libcurses/base/lib_redrawln.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: lib_redrawln.c,v 1.3 2010/01/12 23:22:06 nicm Exp $ */
+/* $OpenBSD: lib_redrawln.c,v 1.4 2019/11/15 14:45:37 fcambus Exp $ */
 
 /****************************************************************************
  * Copyright (c) 1998-2006,2007 Free Software Foundation, Inc.              *
@@ -41,7 +41,7 @@
 
 #include <curses.priv.h>
 
-MODULE_ID("$Id: lib_redrawln.c,v 1.3 2010/01/12 23:22:06 nicm Exp $")
+MODULE_ID("$Id: lib_redrawln.c,v 1.4 2019/11/15 14:45:37 fcambus Exp $")
 
 NCURSES_EXPORT(int)
 wredrawln(WINDOW *win, int beg, int num)
@@ -65,14 +65,14 @@ wredrawln(WINDOW *win, int beg, int num)
 	returnCode(ERR);
 
     end = beg + num;
-    if (end > curscr->_maxy + 1)
-	end = curscr->_maxy + 1;
+    if (end > curscr->_maxy + 1 - win->_begy)
+	end = curscr->_maxy + 1 - win->_begy;
     if (end > win->_maxy + 1)
 	end = win->_maxy + 1;
 
     len = (win->_maxx + 1);
-    if (len > (size_t) (curscr->_maxx + 1))
-	len = (size_t) (curscr->_maxx + 1);
+    if (len > (size_t) (curscr->_maxx + 1 - win->_begx))
+	len = (size_t) (curscr->_maxx + 1 - win->_begx);
     len *= sizeof(curscr->_line[0].text[0]);
 
     for (i = beg; i < end; i++) {