From 71af263cf5a2c164f42d0f2208bb9f2b7751c753 Mon Sep 17 00:00:00 2001
From: kcgen <1557255+kcgen@users.noreply.github.com>
Date: Fri, 1 May 2020 07:57:34 -0700
Subject: [PATCH] Count and limit the string-copy target's length

In this case, the target string's head-pointer is
walked forward dynamically in the prior code, where
each increment reduces the remaining string-length
that's available into which to write.

We use pointer artithmetic to count how far the head
pointer has moved from the base (subtracting that from
the available length), but also adding a safety net to
never exceed the original length if the prior
pointer-moving code were go off the rails (and exceed
the max length).
---
 src/shell/shell_cmds.cpp | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/shell/shell_cmds.cpp b/src/shell/shell_cmds.cpp
index a53b0a85..775131d2 100644
--- a/src/shell/shell_cmds.cpp
+++ b/src/shell/shell_cmds.cpp
@@ -24,6 +24,7 @@
 #include <cstdlib>
 #include <cstring>
 #include <ctime>
+#include <limits>
 #include <string>
 #include <vector>
 
@@ -962,7 +963,14 @@ void DOS_Shell::CMD_SET(char * args) {
 				if (GetEnvStr(p,temp)) {
 					std::string::size_type equals = temp.find('=');
 					if (equals == std::string::npos) continue;
-					strcpy(p_parsed,temp.substr(equals+1).c_str());
+					const uintptr_t remaining_len = (std::min)(
+					        sizeof(parsed) -
+					                static_cast<uintptr_t>(
+					                        p_parsed - parsed),
+					        sizeof(parsed));
+					safe_strncpy(p_parsed,
+					             temp.substr(equals + 1).c_str(),
+					             remaining_len);
 					p_parsed += strlen(p_parsed);
 				}
 				p = second;