2 files changed, 13 insertions, 2 deletions

diff --git a/NEWS b/NEWS
index c9c86b54..a4f8b40b 100644
--- a/NEWS
+++ b/NEWS
@@ -65,6 +65,16 @@ removed from a 6.5.0 or newer release.)
 
 --------------------------------------------------------------------------------
 
+fetchmail-6.4.3 (WIP)
+
+## BUGFIX:
+* fetchmail terminated the placeholder command string too late and included
+  garbage from the heap at the end of the string. Workaround: don't use place-
+  holders %h or %p in the --plugin string. Bug added in 6.4.0 when merging
+  Gitlab merge request !5 in order to fix an input buffer overrun.
+  Faulty commit 418cda65f752e367fa663fd13884a45fcbc39ddd.
+  Reported by Stefan Thurner.
+
 fetchmail-6.4.2 (released 2020-02-14, 27473 LoC):
 
 ## BREAKING CHANGES:
diff --git a/socket.c b/socket.c
index 836db8bd..731efa3e 100644
--- a/socket.c
+++ b/socket.c
@@ -104,7 +104,8 @@ static char *const *parse_plugin(const char *plugin, const char *host, const cha
 		p = c;
 	}
 
-	plugin_copy_len = plugin_len + host_len * host_count + service_len * service_count;
+	/* we need to discount 2 bytes for each placeholder */
+	plugin_copy_len = plugin_len + (host_len - 2) * host_count + (service_len - 2) * service_count;
 	plugin_copy = (char *)malloc(plugin_copy_len + 1);
 	if (!plugin_copy)
 	{
@@ -129,7 +130,7 @@ static char *const *parse_plugin(const char *plugin, const char *host, const cha
 			plugin_copy_offset++;
 		}
 	}
-	plugin_copy[plugin_copy_len] = 0;
+	plugin_copy[plugin_copy_offset] = 0;
 
 	/* XXX FIXME - is this perhaps a bit too simplistic to chop down the argument strings without any respect to quoting?
 	 * better write a generic function that tracks arguments instead... */