Fix buffer overflow (PR#18613).

git-svn-id: https://svn.r-project.org/R/trunk@85415 00db46b3-68df-0310-9c12-caf00c1e9a41
r-devel · Oct 26, 2023 · 73e1868 · 73e1868
1 parent 324458a
commit 73e1868
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/src/library/graphics/src/plot3d.c b/src/library/graphics/src/plot3d.c
@@ -1,6 +1,6 @@
 /*
  *  R : A Computer Language for Statistical Data Analysis
- *  Copyright (C) 1998--2018  The R Core Team
+ *  Copyright (C) 1998--2023  The R Core Team
  *
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -1564,16 +1564,19 @@ static SEXP contour(SEXP x, int nx, SEXP y, int ny, SEXP z,
 		buffer[0] = ' ';
 		if (!isNull(labels)) {
 		    int numl = length(labels);
-		    strcpy(&buffer[1], CHAR(STRING_ELT(labels, cnum % numl)));
+		    strncpy(&buffer[1], CHAR(STRING_ELT(labels, cnum % numl)),
+		            sizeof(buffer) - 2);
 		    enc = getCharCE(STRING_ELT(labels, cnum % numl));
 		}
 		else {
 		    PROTECT(lab = allocVector(REALSXP, 1));
 		    REAL(lab)[0] = zc;
 		    lab = labelformat(lab);
-		    strcpy(&buffer[1], CHAR(STRING_ELT(lab, 0))); /* ASCII */
+		    strncpy(&buffer[1], CHAR(STRING_ELT(lab, 0)),
+		            sizeof(buffer) - 2); /* ASCII */
 		    UNPROTECT(1); /* lab */
 		}
+		buffer[sizeof(buffer)-2] = '\0';
 		buffer[strlen(buffer)+1] = '\0';
 		buffer[strlen(buffer)] = ' ';