diff -up cracklib-2.9.6/lib/fascist.c.overflow cracklib-2.9.6/lib/fascist.c

--- cracklib-2.9.6/lib/fascist.c.overflow	2015-10-23 16:58:38.403319225 +0200

+++ cracklib-2.9.6/lib/fascist.c	2016-12-08 17:28:41.490101358 +0100

@@ -515,7 +515,7 @@ FascistGecosUser(char *password, const c

     char gbuffer[STRINGSIZE];

     char tbuffer[STRINGSIZE];

     char *uwords[STRINGSIZE];

-    char longbuffer[STRINGSIZE * 2];

+    char longbuffer[STRINGSIZE];

     if (gecos == NULL)

 	gecos = "";

@@ -596,38 +596,47 @@ FascistGecosUser(char *password, const c

     {

 	for (i = 0; i < j; i++)

 	{

-	    strcpy(longbuffer, uwords[i]);

-	    strcat(longbuffer, uwords[j]);

-

-	    if (GTry(longbuffer, password))

+	    if (strlen(uwords[i]) + strlen(uwords[j]) < STRINGSIZE)

 	    {

-		return _("it is derived from your password entry");

-	    }

-

-	    strcpy(longbuffer, uwords[j]);

-	    strcat(longbuffer, uwords[i]);

+		strcpy(longbuffer, uwords[i]);

+		strcat(longbuffer, uwords[j]);

-	    if (GTry(longbuffer, password))

-	    {

-		return _("it's derived from your password entry");

+		if (GTry(longbuffer, password))

+		{

+		    return _("it is derived from your password entry");

+		}

+

+		strcpy(longbuffer, uwords[j]);

+		strcat(longbuffer, uwords[i]);

+

+		if (GTry(longbuffer, password))

+		{

+		   return _("it's derived from your password entry");

+		}

 	    }

-	    longbuffer[0] = uwords[i][0];

-	    longbuffer[1] = '\0';

-	    strcat(longbuffer, uwords[j]);

-

-	    if (GTry(longbuffer, password))

+	    if (strlen(uwords[j]) < STRINGSIZE - 1)

 	    {

-		return _("it is derivable from your password entry");

+		longbuffer[0] = uwords[i][0];

+		longbuffer[1] = '\0';

+		strcat(longbuffer, uwords[j]);

+

+		if (GTry(longbuffer, password))

+		{

+		    return _("it is derivable from your password entry");

+		}

 	    }

-	    longbuffer[0] = uwords[j][0];

-	    longbuffer[1] = '\0';

-	    strcat(longbuffer, uwords[i]);

-

-	    if (GTry(longbuffer, password))

+	    if (strlen(uwords[i]) < STRINGSIZE - 1)

 	    {

-		return _("it's derivable from your password entry");

+		longbuffer[0] = uwords[j][0];

+		longbuffer[1] = '\0';

+		strcat(longbuffer, uwords[i]);

+

+		if (GTry(longbuffer, password))

+		{

+		    return _("it's derivable from your password entry");

+		}

 	    }

 	}

     }

diff -up cracklib-2.9.6/lib/rules.c.overflow cracklib-2.9.6/lib/rules.c

--- cracklib-2.9.6/lib/rules.c.overflow	2015-10-23 16:58:38.000000000 +0200

+++ cracklib-2.9.6/lib/rules.c	2016-12-08 18:03:27.041941297 +0100

@@ -158,6 +158,8 @@ Pluralise(string, area)		/* returns a po

     register int length;

     length = strlen(string);

     strcpy(area, string);

+    if (length > STRINGSIZE - 3) /* we add 2 characters at worst */

+	return (area);

     if (!Suffix(string, "ch") ||

 	!Suffix(string, "ex") ||

@@ -462,11 +464,11 @@ Mangle(input, control, area)		/* returns

 	    Pluralise(area2, area);

 	    break;

 	case RULE_REFLECT:

-	    strcat(area, Reverse(area, area2));

+	    strncat(area, Reverse(area, area2), STRINGSIZE - strlen(area) - 1);

 	    break;

 	case RULE_DUPLICATE:

 	    strcpy(area2, area);

-	    strcat(area, area2);

+	    strncat(area, area2, STRINGSIZE - strlen(area) - 1);

 	    break;

 	case RULE_GT:

 	    if (!ptr[1])

@@ -514,7 +516,8 @@ Mangle(input, control, area)		/* returns

 	    } else

 	    {

 		area2[0] = *(++ptr);

-		strcpy(area2 + 1, area);

+		strncpy(area2 + 1, area, STRINGSIZE - 2);

+		area2[STRINGSIZE - 1] = '\0';

 		strcpy(area, area2);

 	    }

 	    break;

@@ -528,8 +531,10 @@ Mangle(input, control, area)		/* returns

 		register char *string;

 		string = area;

 		while (*(string++));

-		string[-1] = *(++ptr);

-		*string = '\0';

+		if (string < area + STRINGSIZE) {

+			string[-1] = *(++ptr);

+			*string = '\0';

+		}

 	    }

 	    break;

 	case RULE_EXTRACT:

@@ -600,6 +605,10 @@ Mangle(input, control, area)		/* returns

 		}

 		p1 = area;

 		p2 = area2;

+		if (strlen(p1) > STRINGSIZE - 2) {

+			/* truncate */

+			p1[STRINGSIZE - 2] = '\0';

+		}

 		while (i && *p1)

 		{

 		    i--;