The function get_current_working_directory retrieves the current
working directory by calling getcwd() or, if that fails, by reading
the environment variable PWD.

In either case, get_current_working_directory verifies that the path
ends with a slash. If not, it will append it.

Unfortunately, get_current_working_directory doesn't check if there
is enough space to add a trailing slash. This could lead to a buffer
overflow of one character if the path is 255 characters long.

This quick and simple fix just verifies that the path is at max 254
characters long. But in general I would recommend to use a dynamically
allocated array.

--- which-2.21/which.c~	2015-06-21 11:53:10.569495520 +0200
+++ which-2.21/which.c	2015-06-21 11:56:30.490904503 +0200
@@ -170,10 +170,10 @@
   if (cwdlen)
     return;
 
-  if (!getcwd(cwd, sizeof(cwd)))
+  if (!getcwd(cwd, sizeof(cwd) - 1))
   {
     const char *pwd = getenv("PWD");
-    if (pwd && strlen(pwd) < sizeof(cwd))
+    if (pwd && strlen(pwd) < sizeof(cwd) - 1)
       strcpy(cwd, pwd);
   }