From b61c50a0044ac8070434b6dba6b11a25d649025c Mon Sep 17 00:00:00 2001
From: Rasmus Lerdorf <rasmus@php.net>
Date: Sun, 7 Aug 2011 00:18:38 +0000
Subject: [PATCH] These naked strcpy()s scare me

---
 ext/ereg/ereg.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ext/ereg/ereg.c b/ext/ereg/ereg.c
index 3680ba34a3..1ec3f1157a 100644
--- a/ext/ereg/ereg.c
+++ b/ext/ereg/ereg.c
@@ -474,7 +474,7 @@ PHPAPI char *php_ereg_replace(const char *pattern, const char *replace, const ch
 			if (new_l + 1 > buf_len) {
 				buf_len = 1 + buf_len + 2 * new_l;
 				nbuf = emalloc(buf_len);
-				strcpy(nbuf, buf);
+				strcpy(nbuf, buf, buf_len-1);
 				efree(buf);
 				buf = nbuf;
 			}
@@ -511,7 +511,7 @@ PHPAPI char *php_ereg_replace(const char *pattern, const char *replace, const ch
 				if (new_l + 1 > buf_len) {
 					buf_len = 1 + buf_len + 2 * new_l;
 					nbuf = safe_emalloc(buf_len, sizeof(char), 0);
-					strcpy(nbuf, buf);
+					strcpy(nbuf, buf, buf_len-1);
 					efree(buf);
 					buf = nbuf;
 				}
@@ -526,7 +526,7 @@ PHPAPI char *php_ereg_replace(const char *pattern, const char *replace, const ch
 			if (new_l + 1 > buf_len) {
 				buf_len = new_l + 1; /* now we know exactly how long it is */
 				nbuf = safe_emalloc(buf_len, sizeof(char), 0);
-				strcpy(nbuf, buf);
+				strcpy(nbuf, buf, buf_len-1);
 				efree(buf);
 				buf = nbuf;
 			}
-- 
2.40.0