Count and limit the string-copy target's length

In this case, the target string's head-pointer is walked forward dynamically in the prior code, where each increment reduces the remaining string-length that's available into which to write. We use pointer artithmetic to count how far the head pointer has moved from the base (subtracting that from the available length), but also adding a safety net to never exceed the original length if the prior pointer-moving code were go off the rails (and exceed the max length).
2020-05-01 07:57:34 -07:00 · 2020-05-01 07:57:34 -07:00 · 71af263cf5
commit 71af263cf5
parent e8acb7f0d7
1 changed files with 9 additions and 1 deletions
--- a/src/shell/shell_cmds.cpp
+++ b/src/shell/shell_cmds.cpp
@ -24,6 +24,7 @@
 #include <cstdlib>
 #include <cstring>
 #include <ctime>
+#include <limits>
 #include <string>
 #include <vector>

@ -962,7 +963,14 @@ void DOS_Shell::CMD_SET(char * args) {
 				if (GetEnvStr(p,temp)) {
 					std::string::size_type equals = temp.find('=');
 					if (equals == std::string::npos) continue;
-					strcpy(p_parsed,temp.substr(equals+1).c_str());
+					const uintptr_t remaining_len = (std::min)(
+					        sizeof(parsed) -
+					                static_cast<uintptr_t>(
+					                        p_parsed - parsed),
+					        sizeof(parsed));
+					safe_strncpy(p_parsed,
+					             temp.substr(equals + 1).c_str(),
+					             remaining_len);
 					p_parsed += strlen(p_parsed);
 				}
 				p = second;