From a90ed30e743c37eb53c3c0ad003e4e09abf78aac Mon Sep 17 00:00:00 2001
From: Bas van Schaik <bas@traiectum.net>
Date: Thu, 3 Dec 2015 13:23:18 +0000
Subject: [PATCH 1/3] ensure buffer is large enough for two ints and some
 extras

---
 Incremental.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Incremental.c b/Incremental.c
index 781d27d..32090d9 100644
--- a/Incremental.c
+++ b/Incremental.c
@@ -663,7 +663,7 @@ static void find_reject(int mdfd, struct supertype *st, struct mdinfo *sra,
 			 * without thinking more */
 
 	for (d = sra->devs; d ; d = d->next) {
-		char dn[10];
+		char dn[24]; // 2*11 bytes for ints (including sign) + colon + null byte
 		int dfd;
 		struct mdinfo info;
 		sprintf(dn, "%d:%d", d->disk.major, d->disk.minor);

From fa9aca493007616cdc0529a2a4d13ff397a07558 Mon Sep 17 00:00:00 2001
From: Bas van Schaik <bas@traiectum.net>
Date: Thu, 3 Dec 2015 13:28:32 +0000
Subject: [PATCH 2/3] avoid confusion with parameter 'devname' with same name,
 ensure buffer is large enough for two ints plus extras

---
 Incremental.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Incremental.c b/Incremental.c
index 32090d9..a91129e 100644
--- a/Incremental.c
+++ b/Incremental.c
@@ -1030,12 +1030,12 @@ static int array_try_spare(char *devname, int *dfdp, struct dev_policy *pol,
 		int mdfd = open_dev(chosen->sys_name);
 		if (mdfd >= 0) {
 			struct mddev_dev devlist;
-			char devname[20];
+			char chosen_devname[24]; // 2*11 for int (including signs) + colon + null
 			devlist.next = NULL;
 			devlist.used = 0;
 			devlist.writemostly = 0;
-			devlist.devname = devname;
-			sprintf(devname, "%d:%d", major(stb.st_rdev),
+			devlist.devname = chosen_devname;
+			sprintf(chosen_devname, "%d:%d", major(stb.st_rdev),
 				minor(stb.st_rdev));
 			devlist.disposition = 'a';
 			close(dfd);

From 1158f25eaeaa840307725588db79e01a96f54144 Mon Sep 17 00:00:00 2001
From: Bas van Schaik <bas@traiectum.net>
Date: Thu, 3 Dec 2015 13:37:08 +0000
Subject: [PATCH 3/3] make sure 'path' buffer is large enough to fit 200
 characters plus null terminator

---
 mapfile.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mapfile.c b/mapfile.c
index 41599df..243ded1 100644
--- a/mapfile.c
+++ b/mapfile.c
@@ -176,7 +176,7 @@ void map_read(struct map_ent **melp)
 {
 	FILE *f;
 	char buf[8192];
-	char path[200];
+	char path[201];
 	int uuid[4];
 	char devnm[32];
 	char metadata[30];