Possible buffer overrun in eval_text()

From: Daniel Drake <d.drake@mmm.com>

If the string "\" is passed to eval_text, the backslash-handling code causes
the character pointer to go beyond the terminating NULL character, causing
potentially lots of random data to be written into the output buffer.

Index: splashutils-1.3/render.c
===================================================================
--- splashutils-1.3.orig/render.c
+++ splashutils-1.3/render.c
@@ -349,7 +349,13 @@ char *eval_text(char *txt)
 
 	while (*p != 0) {
 		if (*p == '\\') {
+			/* to allow literal "$progress" i.e. \$progress */
 			p++;
+
+			/* might have reached end of string */
+			if (*p == 0)
+				break;
+
 			*d = *p;
 			p++;
 			d++;
@@ -367,7 +373,7 @@ char *eval_text(char *txt)
 		}
 	}
 
-	*d = *p;
+	*d = 0; /* NULL-terminate */
 	
 	return ret;
 }