2 files changed, 16 insertions, 4 deletions

diff --git a/libical/ChangeLog b/libical/ChangeLog
index 476b18e158..066d625076 100644
--- a/libical/ChangeLog
+++ b/libical/ChangeLog
@@ -1,5 +1,12 @@
 2001-10-30  Damon Chaplin  <damon@ximian.com>
 
+	* src/libical/icalproperty.c (fold_property_line): forgot to account
+	for the spaces added, so it could have been writing over the end of
+	the allocated memory. Added check for buffer overflow as well.
+	This could well have been the problem causing bug #14067.
+
+2001-10-30  Damon Chaplin  <damon@ximian.com>
+
 	* zoneinfo/*.ics: Regenerated all VTIMEZONEs, to be compatable with
 	Outlook Web Access. They now only include 2 RRULEs components or
 	1 simple DTSTART component.
diff --git a/libical/src/libical/icalproperty.c b/libical/src/libical/icalproperty.c
index a872b17b7f..331443e3dd 100644
--- a/libical/src/libical/icalproperty.c
+++ b/libical/src/libical/icalproperty.c
@@ -270,18 +270,19 @@ icalproperty_free (icalproperty* prop)
 static char*
 fold_property_line (char *text)
 {
-    int len, max_lines, line_length;
+    int len, max_lines, line_length, buf_len;
     char *buf, *src, *dest, ch;
 
     len = strlen (text);
 
     /* The minimum length we split a line at is 65 characters, so calculate
        the maximum number of newlines we will need. */
-    max_lines = ((len - 1) / 65);
+    max_lines = len / 65;
 
     /* Calculate the maximum size for the buffer we need, if we add a newline
-       character for each line, and a '\0' at the end. */
-    buf = icalmemory_tmp_buffer (len + max_lines + 1);
+       and a space character for each line, and a '\0' at the end. */
+    buf_len = len + (max_lines * 2);
+    buf = icalmemory_tmp_buffer (buf_len + 1);
 
     src = text;
     dest = buf;
@@ -299,6 +300,10 @@ fold_property_line (char *text)
 	line_length++;
 
 	src++;
+
+	if (dest - buf > buf_len) {
+	    icalerror_warn ("Buffer overflow.");
+	}
     }
     *dest = '\0';