From 41ae77e8698b5b851b09681ce9b7120ccb605eb6 Mon Sep 17 00:00:00 2001
From: "H.G. Muller" <h.g.muller@hccnet.nl>
Date: Fri, 12 Nov 2010 13:56:33 +0100
Subject: [PATCH] Make safeStrCpy safe

SafeStrCpy was causing a lot of out-of-bound write accesses, as it was
always writing the character at the length limit of the destination.
Now no memory is accessed that is is not needed to hold the copy.
---
 backend.c | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/backend.c b/backend.c
index 1de9cb76..46a14c7e 100644
--- a/backend.c
+++ b/backend.c
@@ -311,23 +311,19 @@ char marker[BOARD_RANKS][BOARD_FILES]; /* [HGM] marks for target squares */
 
 char*
 safeStrCpy( char *dst, const char *src, size_t count )
-{
-  /* see for example: https://buildsecurityin.us-cert.gov/bsi-rules/home/g1/854-BSI.html
-   *
-   * usage:   safeStrCpy( stringA, stringB, sizeof(stringA)/sizeof(stringA[0]);
-   */
-
+{ // [HGM] made safe
+  int i;
   assert( dst != NULL );
   assert( src != NULL );
   assert( count > 0 );
 
-  strncpy( dst, src, count );
-  if(  dst[ count-1 ] != '\0' )
+  for(i=0; i<count; i++) if((dst[i] = src[i]) == NULLCHAR) break;
+  if(  i == count-1 && dst[i] != NULLCHAR)
     {
+      dst[ count-1 ] = '\0'; // make sure incomplete copy still null-terminated
       if(appData.debugMode)
       printf("safeStrCpy: copying %s into %s didn't work, not enough space %d\n",src,dst,count);
     }
-  dst[ count-1 ] = '\0';
 
   return dst;
 }
-- 
2.17.1