Fix 5 places of misused memcpy() with overlapped source and destina…

…tion. Found with `ack 'memcpy\([^,]*?(\b\w+\b)[^,]*?,[^,]*\1'` - maple/more.c: `mgets()` & `mread()` - maple/talk.c: `bmw_rqst()` - maple/xover.c: `Tagger()` - so/chat.c: `t_chat()`
ccns · Feb 13, 2020 · e7e99d4 · e7e99d4
1 parent e893cdf
commit e7e99d4
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 5 deletions.
diff --git a/maple/more.c b/maple/more.c
@@ -61,8 +61,11 @@ mgets(
     {
         if (head >= tail)
         {
+            /* IID.20191222:
+             *    Read little and then run out of chars in the middle of a long line
+             *       => head - base > base - pool => overlap */
             if ((ch = head - base))
-                memcpy(pool, base, ch);
+                memmove(pool, base, ch);
 
             head = pool + ch;
             ch = read(fd, head, MORE_BUFSIZE - ch);
@@ -105,8 +108,11 @@ mread(
 
     if (size < len)
     {
+        /* IID.20191222:
+         *    Read little and then run out of chars for large `len`
+         *       => size > base => overlap */
         if (size)
-            memcpy(pool, pool + base, size);
+            memmove(pool, pool + base, size);
 
         base = read(fd, pool + size, MORE_BUFSIZE - size);
 

diff --git a/maple/talk.c b/maple/talk.c
@@ -2394,7 +2394,8 @@ bmw_rqst(void)
         if (i >= 0)
         {
             locus -= i;
-            memcpy(bmw_lslot, bmw_lslot + i, locus * sizeof(BMW));
+            /* IID.20191222: Large `locus` && small `j` => `locus` > `i` => overlap */
+            memmove(bmw_lslot, bmw_lslot + i, locus * sizeof(BMW));
         }
 
         i = 0;

diff --git a/maple/xover.c b/maple/xover.c
@@ -367,7 +367,7 @@ Tagger(
             return false;
 
         TagNum = --tail;
-        memcpy(&tagp[pos], &tagp[pos + 1], (tail - pos) * sizeof(TagItem));
+        memmove(&tagp[pos], &tagp[pos + 1], (tail - pos) * sizeof(TagItem));
         return -1;
     }
 

diff --git a/so/chat.c b/so/chat.c
@@ -851,7 +851,7 @@ t_chat(void)
             if (cmdcol)
             {
                 ch = cmdcol--;
-                memcpy(&ptr[cmdcol], &ptr[ch], 69 - cmdcol);
+                memmove(&ptr[cmdcol], &ptr[ch], 69 - cmdcol);
                 move(b_lines - 1, cmdcol + 10);
                 outs(&ptr[cmdcol]);
                 clrtoeol();