From: H.G. Muller <h.g.muller@hccnet.nl>
Date: Fri, 12 Nov 2010 12:56:33 +0000 (+0100)
Subject: Make safeStrCpy safe
X-Git-Url: http://winboard.nl/cgi-bin?a=commitdiff_plain;h=41ae77e8698b5b851b09681ce9b7120ccb605eb6;hp=37c976246d65ccb8ed013af03dac284b4a431cff;p=xboard.git

Make safeStrCpy safe

SafeStrCpy was causing a lot of out-of-bound write accesses, as it was
always writing the character at the length limit of the destination.
Now no memory is accessed that is is not needed to hold the copy.
---

diff --git a/backend.c b/backend.c
index 1de9cb7..46a14c7 100644
--- a/backend.c
+++ b/backend.c
@@ -311,23 +311,19 @@ char marker[BOARD_RANKS][BOARD_FILES]; /* [HGM] marks for target squares */
 
 char*
 safeStrCpy( char *dst, const char *src, size_t count )
-{
-  /* see for example: https://buildsecurityin.us-cert.gov/bsi-rules/home/g1/854-BSI.html
-   *
-   * usage:   safeStrCpy( stringA, stringB, sizeof(stringA)/sizeof(stringA[0]);
-   */
-
+{ // [HGM] made safe
+  int i;
   assert( dst != NULL );
   assert( src != NULL );
   assert( count > 0 );
 
-  strncpy( dst, src, count );
-  if(  dst[ count-1 ] != '\0' )
+  for(i=0; i<count; i++) if((dst[i] = src[i]) == NULLCHAR) break;
+  if(  i == count-1 && dst[i] != NULLCHAR)
     {
+      dst[ count-1 ] = '\0'; // make sure incomplete copy still null-terminated
       if(appData.debugMode)
       printf("safeStrCpy: copying %s into %s didn't work, not enough space %d\n",src,dst,count);
     }
-  dst[ count-1 ] = '\0';
 
   return dst;
 }