Don't blindly increase offsets by the return value of snprintf, if there

wasn't enough space this will go off the end. Instead clamp to the
available space. Fixes crash reported by Julien Rebetez.

arguments.c

@@ -125,7 +125,7 @@ args_free(struct args *args)
 size_t
 args_print(struct args *args, char *buf, size_t len)
 {
-	size_t		 	 off;
+	size_t		 	 off, used;
 	int			 i;
 	const char		*quotes;
 	struct args_entry	*entry;
@@ -165,9 +165,12 @@ args_print(struct args *args, char *buf, size_t len)
 			quotes = "\"";
 		else
 			quotes = "";
-		off += xsnprintf(buf + off, len - off, "%s-%c %s%s%s",
+		used = xsnprintf(buf + off, len - off, "%s-%c %s%s%s",
 		    off != 0 ? " " : "", entry->flag, quotes, entry->value,
 		    quotes);
+		if (used > len - off)
+			used = len - off;
+		off += used;
 	}
 
 	/* And finally the argument vector. */
@@ -181,8 +184,11 @@ args_print(struct args *args, char *buf, size_t len)
 			quotes = "\"";
 		else
 			quotes = "";
-		off += xsnprintf(buf + off, len - off, "%s%s%s%s",
+		used = xsnprintf(buf + off, len - off, "%s%s%s%s",
 		    off != 0 ? " " : "", quotes, args->argv[i], quotes);
+		if (used > len - off)
+			used = len - off;
+		off += used;
 	}
 
 	return (off);

cmd-list.c

@@ -103,7 +103,7 @@ size_t
 cmd_list_print(struct cmd_list *cmdlist, char *buf, size_t len)
 {
 	struct cmd	*cmd;
-	size_t		 off;
+	size_t		 off, used;
 
 	off = 0;
 	TAILQ_FOREACH(cmd, &cmdlist->list, qentry) {
@@ -112,8 +112,12 @@ cmd_list_print(struct cmd_list *cmdlist, char *buf, size_t len)
 		off += cmd_print(cmd, buf + off, len - off);
 		if (off >= len)
 			break;
-		if (TAILQ_NEXT(cmd, qentry) != NULL)
-			off += xsnprintf(buf + off, len - off, " ; ");
+		if (TAILQ_NEXT(cmd, qentry) != NULL) {
+			used = xsnprintf(buf + off, len - off, " ; ");
+			if (used > len - off)
+				used = len - off;
+			off += used;
+		}
 	}
 	return (off);
 }

window-copy.c

@@ -1194,8 +1194,8 @@ window_copy_write_line(
 		screen_write_puts(ctx, &gc, "%s", hdr);
 	} else if (py == last && data->inputtype != WINDOW_COPY_OFF) {
 		limit = sizeof hdr;
-		if (limit > screen_size_x(s))
-			limit = screen_size_x(s);
+		if (limit > screen_size_x(s) + 1)
+			limit = screen_size_x(s) + 1;
 		if (data->inputtype == WINDOW_COPY_NUMERICPREFIX) {
 			xoff = size = xsnprintf(hdr, limit,
 			    "Repeat: %u", data->numprefix);
@@ -1208,10 +1208,12 @@ window_copy_write_line(
 	} else
 		size = 0;
 
+	if (size < screen_size_x(s)) {
 		screen_write_cursormove(ctx, xoff, py);
 		screen_write_copy(ctx, data->backing, xoff,
 		    (screen_hsize(data->backing) - data->oy) + py,
 		    screen_size_x(s) - size, 1);
+	}
 
 	if (py == data->cy && data->cx == screen_size_x(s)) {
 		memcpy(&gc, &grid_default_cell, sizeof gc);