Fix issues found by auditing w32notify code

* src/w32inevt.c (handle_file_notifications): Count the number of
events to be returned.
* src/w32notify.c (send_notifications): Don't copy to the file
notification buffer more than it can hold.  (Bug#22534)

2 files changed, 4 insertions, 2 deletions

diff --git a/src/w32inevt.c b/src/w32inevt.c
index 54b0b13f54e..e714e27f4bc 100644
--- a/src/w32inevt.c
+++ b/src/w32inevt.c
@@ -660,6 +660,7 @@ handle_file_notifications (struct input_event *hold_quit)
               inev.arg = list3 (make_pointer_integer (notifications_desc),
                                 action, fname);
               kbd_buffer_store_event_hold (&inev, hold_quit);
+              nevents++;
 
               if (!fni->NextEntryOffset)
                 break;
diff --git a/src/w32notify.c b/src/w32notify.c
index 576cf844dab..71787c45db8 100644
--- a/src/w32notify.c
+++ b/src/w32notify.c
@@ -144,8 +144,9 @@ send_notifications (BYTE *info, DWORD info_size, void *desc,
       if (!notification_buffer_in_use)
         {
           if (info_size)
-            memcpy (file_notifications, info, info_size);
-          notifications_size = info_size;
+            memcpy (file_notifications, info,
+                    min (info_size, sizeof (file_notifications)));
+          notifications_size = min (info_size, sizeof (file_notifications));
           notifications_desc = desc;
           /* If PostMessage fails, the message queue is full.  If that
              happens, the last thing they will worry about is file