From cb16fe9d9652918610d2b86d955f0d09014c3f23 Mon Sep 17 00:00:00 2001
From: Benedikt Heine <bebe@bebehei.de>
Date: Wed, 14 Nov 2018 17:08:18 +0100
Subject: [PATCH] Fix DoS in notification_format_message

When using a format with a trailing % character, dunst ends in an
endless loop, searching for a % char, while pointing exactly with the
haystack on the % character.

Increasing the substring pointer will shift the pointer forwards onto
the actual NULL character and stop the loop.
---
 src/notification.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/notification.c b/src/notification.c
index 0155093..fabda53 100644
--- a/src/notification.c
+++ b/src/notification.c
@@ -376,7 +376,7 @@ static void notification_format_message(struct notification *n)
 
         /* replace all formatter */
         for(char *substr = strchr(n->msg, '%');
-                  substr;
+                  substr && *substr;
                   substr = strchr(substr, '%')) {
 
                 char pg[16];
@@ -450,6 +450,7 @@ static void notification_format_message(struct notification *n)
                 case '\0':
                         LOG_W("format_string has trailing %% character. "
                               "To escape it use %%%%.");
+                        substr++;
                         break;
                 default:
                         LOG_W("format_string %%%c is unknown.", substr[1]);