mirrors/raylib
1
0
Fork 0
mirror of https://github.com/raysan5/raylib.git synced 2026-06-27 21:40:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

[rtext] Fix buffer overflow in TextReplaceBetween() (#5936)

Browse Source 
The MAX_TEXT_BUFFER_LENGTH guard present in TextReplace()/TextInsert() was
missing here, so the three strncpy() calls could write past the 1024-byte
static buffer for long inputs. Add the same length check before copying.

Co-authored-by: Brandon Arrendondo <brandon.arrendondo@bissell.com>
This commit is contained in:
Brandon Arrendondo
2026-06-24 10:41:19 -04:00
committed by GitHub
parent 83cb4cc210
commit 9215540015
1 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/rtext.c
View File

@@ -1919,9 +1919,13 @@ char *TextReplaceBetween(const char *text, const char *begin, const char *end, c
int replaceLen = (replacement == NULL)? 0 : TextLength(replacement);
//int toreplaceLen = endIndex - beginIndex - beginLen;
strncpy(buffer, text, beginIndex + beginLen); // Copy first text part
if (replacement != NULL) strncpy(buffer + beginIndex + beginLen, replacement, replaceLen); // Copy replacement (if provided)
strncpy(buffer + beginIndex + beginLen + replaceLen, text + endIndex, textLen - endIndex); // Copy end text part
if ((beginIndex + beginLen + replaceLen + (textLen - endIndex)) < (MAX_TEXT_BUFFER_LENGTH - 1))
{
strncpy(buffer, text, beginIndex + beginLen); // Copy first text part
if (replacement != NULL) strncpy(buffer + beginIndex + beginLen, replacement, replaceLen); // Copy replacement (if provided)
strncpy(buffer + beginIndex + beginLen + replaceLen, text + endIndex, textLen - endIndex); // Copy end text part
}
else TRACELOG(LOG_WARNING, "TEXT: Text with replaced string is longer than internal buffer (MAX_TEXT_BUFFER_LENGTH)");
}
}
}