Fix safety crash when appending comments

The length limit imposed on safeStrCpy was one too short when copying
an existing comment to the space allocated for the longer (concatenated)
one. It allowed no space for the terminating '\0'.

diff --git a/backend.c b/backend.c
index 6e544c0..a887fb6 100644 (file)
--- a/backend.c
+++ b/backend.c
@@ -13373,7 +13373,7 @@ if(appData.debugMode) fprintf(debugFP, "Append: in='%s' %d\n", text, addBraces);
        while(commentList[index][oldlen-1] ==  '\n')
          commentList[index][--oldlen] = NULLCHAR;
        commentList[index] = (char *) malloc(oldlen + len + 6); // might waste 4
-       safeStrCpy(commentList[index], old, oldlen);
+       safeStrCpy(commentList[index], old, oldlen + len + 6);
        free(old);
        // [HGM] braces: join "{A\n}\n" + "{\nB}" as "{A\nB\n}"
        if(commentList[index][oldlen-1] == '}' && (text[0] == '{' || addBraces)) {