File ntp-CVE-2023-26551.patch of Package ntp.28894

--- libntp/mstolfp.c.orig
+++ libntp/mstolfp.c
@@ -14,7 +14,7 @@ mstolfp(
 	l_fp *lfp
 	)
 {
-	register const char *cp;
+       register const char *cp, *end;
 	register char *bp;
 	register const char *cpdec;
 	char buf[100];
@@ -42,6 +42,15 @@ mstolfp(
 	if (*cp != '.' && !isdigit((unsigned char)*cp))
 	    return 0;
 
+       /*
+        * Make sure the buffer has enough room for the input string and the
+        * extra characters, in the worst case replacing "." with "0.000"
+        */
+       end = cp;
+       while (isdigit((unsigned char)*end) || *end == '.')
+           end++;
+       if (end - cp + 4 >= sizeof (buf) - (bp - buf))
+           return 0;
 
 	/*
 	 * Search forward for the decimal point or the end of the string.