Not that it matters much, but I'd suggest this as a slightly better patch:
(Someone more awake than I am right now should check for whether I'm off by
one...)
--------------------------------------------------------------------------
  static void
  card(c, p2)
          register int c;
          register char *p2;
  {
          char buf[BUFSIZ];
          register char *p1 = buf;
          register int len = 2;

          *p1++ = c;
!         while (len < BUFSIZ-1 && (c = *p2++) != '\0') {
                *p1++ = (c == '\n') ? ' ' : c;
                len++;
          }
+         if (len == BUFSIZ-1) {
+             fatal2("excessive control line length");
+         }
          *p1++ = '\n';
          write(tfd, buf, len);
  }
--------------------------------------------------------------------------

The subroutine right above this one, linked() has the same class of bug
(happily overflow a fixed buffer) though I don't offhand see an easy way
to exploit it as a security hole.  (Hmm, create exactly the RIGHT directory
names?  Scary.)