From: Rasmus Lerdorf <rasmus@php.net>
Date: Sun, 7 Aug 2011 00:18:38 +0000 (+0000)
Subject: These naked strcpy()s scare me
X-Git-Tag: php-5.4.0beta1~510
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5a448d23b26bd07c58eb6dd28ce376b31b339ba0;p=php

These naked strcpy()s scare me
---

diff --git a/ext/ereg/ereg.c b/ext/ereg/ereg.c
index 3fbaa2cc63..c2b065210a 100644
--- a/ext/ereg/ereg.c
+++ b/ext/ereg/ereg.c
@@ -474,7 +474,7 @@ PHP_EREG_API char *php_ereg_replace(const char *pattern, const char *replace, co
 			if (new_l + 1 > buf_len) {
 				buf_len = 1 + buf_len + 2 * new_l;
 				nbuf = emalloc(buf_len);
-				strcpy(nbuf, buf);
+				strncpy(nbuf, buf, buf_len-1);
 				efree(buf);
 				buf = nbuf;
 			}
@@ -511,7 +511,7 @@ PHP_EREG_API char *php_ereg_replace(const char *pattern, const char *replace, co
 				if (new_l + 1 > buf_len) {
 					buf_len = 1 + buf_len + 2 * new_l;
 					nbuf = safe_emalloc(buf_len, sizeof(char), 0);
-					strcpy(nbuf, buf);
+					strncpy(nbuf, buf, buf_len-1);
 					efree(buf);
 					buf = nbuf;
 				}
@@ -526,7 +526,7 @@ PHP_EREG_API char *php_ereg_replace(const char *pattern, const char *replace, co
 			if (new_l + 1 > buf_len) {
 				buf_len = new_l + 1; /* now we know exactly how long it is */
 				nbuf = safe_emalloc(buf_len, sizeof(char), 0);
-				strcpy(nbuf, buf);
+				strncpy(nbuf, buf, buf_len-1);
 				efree(buf);
 				buf = nbuf;
 			}