These naked strcpy()s scare me

diff --git a/ext/ereg/ereg.c b/ext/ereg/ereg.c
index 3680ba34a371dcb4c86722b460b69a39eafd1205..1ec3f1157af95b0a3fe829a2d10d2aa92ba70c78 100644 (file)
--- a/ext/ereg/ereg.c
+++ b/ext/ereg/ereg.c
@@ -474,7 +474,7 @@ PHPAPI char *php_ereg_replace(const char *pattern, const char *replace, const ch
                        if (new_l + 1 > buf_len) {
                                buf_len = 1 + buf_len + 2 * new_l;
                                nbuf = emalloc(buf_len);
-                               strcpy(nbuf, buf);
+                               strcpy(nbuf, buf, buf_len-1);
                                efree(buf);
                                buf = nbuf;
                        }
@@ -511,7 +511,7 @@ PHPAPI char *php_ereg_replace(const char *pattern, const char *replace, const ch
                                if (new_l + 1 > buf_len) {
                                        buf_len = 1 + buf_len + 2 * new_l;
                                        nbuf = safe_emalloc(buf_len, sizeof(char), 0);
-                                       strcpy(nbuf, buf);
+                                       strcpy(nbuf, buf, buf_len-1);
                                        efree(buf);
                                        buf = nbuf;
                                }
@@ -526,7 +526,7 @@ PHPAPI char *php_ereg_replace(const char *pattern, const char *replace, const ch
                        if (new_l + 1 > buf_len) {
                                buf_len = new_l + 1; /* now we know exactly how long it is */
                                nbuf = safe_emalloc(buf_len, sizeof(char), 0);
-                               strcpy(nbuf, buf);
+                               strcpy(nbuf, buf, buf_len-1);
                                efree(buf);
                                buf = nbuf;
                        }