From 41ae77e8698b5b851b09681ce9b7120ccb605eb6 Mon Sep 17 00:00:00 2001
From: H.G. Muller <h.g.muller@hccnet.nl>
Date: Fri, 12 Nov 2010 13:56:33 +0100
Subject: [PATCH] Make safeStrCpy safe

SafeStrCpy was causing a lot of out-of-bound write accesses, as it was
always writing the character at the length limit of the destination.
Now no memory is accessed that is is not needed to hold the copy.
---
 backend.c |   14 +++++---------
 1 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/backend.c b/backend.c
index 1de9cb7..46a14c7 100644
--- a/backend.c
+++ b/backend.c
@@ -311,23 +311,19 @@ char marker[BOARD_RANKS][BOARD_FILES]; /* [HGM] marks for target squares */
 
 char*
 safeStrCpy( char *dst, const char *src, size_t count )
-{
-  /* see for example: https://buildsecurityin.us-cert.gov/bsi-rules/home/g1/854-BSI.html
-   *
-   * usage:   safeStrCpy( stringA, stringB, sizeof(stringA)/sizeof(stringA[0]);
-   */
-
+{ // [HGM] made safe
+  int i;
   assert( dst != NULL );
   assert( src != NULL );
   assert( count > 0 );
 
-  strncpy( dst, src, count );
-  if(  dst[ count-1 ] != '\0' )
+  for(i=0; i<count; i++) if((dst[i] = src[i]) == NULLCHAR) break;
+  if(  i == count-1 && dst[i] != NULLCHAR)
     {
+      dst[ count-1 ] = '\0'; // make sure incomplete copy still null-terminated
       if(appData.debugMode)
       printf("safeStrCpy: copying %s into %s didn't work, not enough space %d\n",src,dst,count);
     }
-  dst[ count-1 ] = '\0';
 
   return dst;
 }
-- 
1.7.0.4