From: Rasmus Lerdorf <rasmus@php.net>
Date: Sun, 7 Aug 2011 00:18:38 +0000 (+0000)
Subject: These naked strcpy()s scare me
X-Git-Tag: php-5.3.7RC5~45
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b61c50a0044ac8070434b6dba6b11a25d649025c;p=php

These naked strcpy()s scare me
---

diff --git a/ext/ereg/ereg.c b/ext/ereg/ereg.c
index 3680ba34a3..1ec3f1157a 100644
--- a/ext/ereg/ereg.c
+++ b/ext/ereg/ereg.c
@@ -474,7 +474,7 @@ PHPAPI char *php_ereg_replace(const char *pattern, const char *replace, const ch
 			if (new_l + 1 > buf_len) {
 				buf_len = 1 + buf_len + 2 * new_l;
 				nbuf = emalloc(buf_len);
-				strcpy(nbuf, buf);
+				strcpy(nbuf, buf, buf_len-1);
 				efree(buf);
 				buf = nbuf;
 			}
@@ -511,7 +511,7 @@ PHPAPI char *php_ereg_replace(const char *pattern, const char *replace, const ch
 				if (new_l + 1 > buf_len) {
 					buf_len = 1 + buf_len + 2 * new_l;
 					nbuf = safe_emalloc(buf_len, sizeof(char), 0);
-					strcpy(nbuf, buf);
+					strcpy(nbuf, buf, buf_len-1);
 					efree(buf);
 					buf = nbuf;
 				}
@@ -526,7 +526,7 @@ PHPAPI char *php_ereg_replace(const char *pattern, const char *replace, const ch
 			if (new_l + 1 > buf_len) {
 				buf_len = new_l + 1; /* now we know exactly how long it is */
 				nbuf = safe_emalloc(buf_len, sizeof(char), 0);
-				strcpy(nbuf, buf);
+				strcpy(nbuf, buf, buf_len-1);
 				efree(buf);
 				buf = nbuf;
 			}