[Bug 3129527]: Fix buffer overflow w/ GCC 4.5 and -D_FORTIFY_SOURCE=2. One more place where this problem could appear.

1 files changed, 7 insertions, 5 deletions

diff --git a/generic/tkTextBTree.c b/generic/tkTextBTree.c
index c2a5fbd..f488038 100644
--- a/generic/tkTextBTree.c
+++ b/generic/tkTextBTree.c
@@ -444,7 +444,7 @@ TkBTreeInsertChars(indexPtr, string)
 	    curPtr->nextPtr = segPtr;
 	}
 	segPtr->size = chunkSize;
-	strncpy(segPtr->body.chars, string, (size_t) chunkSize);
+	memcpy(segPtr->body.chars, string, (size_t) chunkSize);
 	segPtr->body.chars[chunkSize] = 0;
 
 	if (eol[-1] != '\n') {
@@ -3379,12 +3379,13 @@ CharSplitProc(segPtr, index)
     newPtr1->typePtr = &tkTextCharType;
     newPtr1->nextPtr = newPtr2;
     newPtr1->size = index;
-    strncpy(newPtr1->body.chars, segPtr->body.chars, (size_t) index);
+    memcpy(newPtr1->body.chars, segPtr->body.chars, (size_t) index);
     newPtr1->body.chars[index] = 0;
     newPtr2->typePtr = &tkTextCharType;
     newPtr2->nextPtr = segPtr->nextPtr;
     newPtr2->size = segPtr->size - index;
-    strcpy(newPtr2->body.chars, segPtr->body.chars + index);
+    memcpy(newPtr2->body.chars, segPtr->body.chars + index, newPtr2->size);
+    newPtr2->body.chars[newPtr2->size] = 0;
     ckfree((char*) segPtr);
     return newPtr1;
 }
@@ -3426,8 +3427,9 @@ CharCleanupProc(segPtr, linePtr)
     newPtr->typePtr = &tkTextCharType;
     newPtr->nextPtr = segPtr2->nextPtr;
     newPtr->size = segPtr->size + segPtr2->size;
-    strcpy(newPtr->body.chars, segPtr->body.chars);
-    strcpy(newPtr->body.chars + segPtr->size, segPtr2->body.chars);
+    memcpy(newPtr->body.chars, segPtr->body.chars, segPtr->size);
+    memcpy(newPtr->body.chars + segPtr->size, segPtr2->body.chars, segPtr2->size);
+    newPtr->body.chars[newPtr->size] = 0;
     ckfree((char*) segPtr);
     ckfree((char*) segPtr2);
     return newPtr;