===================================================================
RCS file: /cvs/mandoc/cgi.c,v
retrieving revision 1.33
retrieving revision 1.35
diff -u -p -r1.33 -r1.35
--- mandoc/cgi.c	2011/12/15 12:18:57	1.33
+++ mandoc/cgi.c	2011/12/16 12:06:35	1.35
@@ -1,4 +1,4 @@
-/*	$Id: cgi.c,v 1.33 2011/12/15 12:18:57 kristaps Exp $ */
+/*	$Id: cgi.c,v 1.35 2011/12/16 12:06:35 kristaps Exp $ */
 /*
  * Copyright (c) 2011 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -749,10 +749,11 @@ static void
 pg_show(const struct req *req, char *path)
 {
 	struct manpaths	 ps;
+	size_t		 sz;
 	char		*sub;
 	char		 file[MAXPATHLEN];
-	const char	*fn, *cp;
-	int		 rc;
+	const char	*cp;
+	int		 rc, catm;
 	unsigned int	 vol, rec, mr;
 	DB		*idx;
 	DBT		 key, val;
@@ -804,7 +805,8 @@ pg_show(const struct req *req, char *path)
 		goto out;
 	}
 
-	strlcpy(file, ps.paths[vol], MAXPATHLEN);
+	sz = strlcpy(file, ps.paths[vol], MAXPATHLEN);
+	assert(sz < MAXPATHLEN);
 	strlcat(file, "/mandoc.index", MAXPATHLEN);
 
 	/* Open the index recno(3) database. */
@@ -822,21 +824,24 @@ pg_show(const struct req *req, char *path)
 	if (0 != (rc = (*idx->get)(idx, &key, &val, 0))) {
 		rc < 0 ? resp_baddb() : resp_error400();
 		goto out;
-	} 
+	} else if (0 == val.size) {
+		resp_baddb();
+		goto out;
+	}
 
 	cp = (char *)val.data;
+	catm = 'c' == *cp++;
 
-	if (NULL == (fn = memchr(cp, '\0', val.size)))
+	if (NULL == memchr(cp, '\0', val.size - 1)) 
 		resp_baddb();
-	else if (++fn - cp >= (int)val.size)
-		resp_baddb();
-	else if (NULL == memchr(fn, '\0', val.size - (fn - cp)))
-		resp_baddb();
 	else {
-		if (0 == strcmp(cp, "cat"))
-			catman(req, fn + 1);
+ 		file[(int)sz] = '\0';
+ 		strlcat(file, "/", MAXPATHLEN);
+ 		strlcat(file, cp, MAXPATHLEN);
+		if (catm) 
+			catman(req, file);
 		else
-			format(req, fn + 1);
+			format(req, file);
 	}
 out:
 	if (idx)