From: H.G. Muller Date: Wed, 17 Nov 2010 12:40:20 +0000 (+0100) Subject: Fix safety crash when appending comments X-Git-Url: http://winboard.nl/cgi-bin?a=commitdiff_plain;h=ec8be891e233fca8d33f5452b5bfc97fe0ac7d51;p=xboard.git Fix safety crash when appending comments The length limit imposed on safeStrCpy was one too short when copying an existing comment to the space allocated for the longer (concatenated) one. It allowed no space for the terminating '\0'. --- diff --git a/backend.c b/backend.c index 6e544c0..a887fb6 100644 --- a/backend.c +++ b/backend.c @@ -13373,7 +13373,7 @@ if(appData.debugMode) fprintf(debugFP, "Append: in='%s' %d\n", text, addBraces); while(commentList[index][oldlen-1] == '\n') commentList[index][--oldlen] = NULLCHAR; commentList[index] = (char *) malloc(oldlen + len + 6); // might waste 4 - safeStrCpy(commentList[index], old, oldlen); + safeStrCpy(commentList[index], old, oldlen + len + 6); free(old); // [HGM] braces: join "{A\n}\n" + "{\nB}" as "{A\nB\n}" if(commentList[index][oldlen-1] == '}' && (text[0] == '{' || addBraces)) {