html: fix strcpy bug in convert_query_hexchar

The source and destination strings in strcpy() may not overlap.
Instead, use memmove(), which allows overlap.  This fixes test t0104,
where 'url=foo%2bbar/tree' was being parsed improperly.

Signed-off-by: Mark Lodato <lodatom@gmail.com>

1 files changed, 5 insertions, 4 deletions

diff --git a/html.c b/html.c
index 66ba65d..d86b2c1 100644
--- a/html.c
+++ b/html.c
@@ -219,61 +219,62 @@ int html_include(const char *filename)
 		fprintf(stderr, "[cgit] Failed to include file %s: %s (%d).\n",
 			filename, strerror(errno), errno);
 		return -1;
 	}
 	while((len = fread(buf, 1, 4096, f)) > 0)
 		write(htmlfd, buf, len);
 	fclose(f);
 	return 0;
 }
 
 int hextoint(char c)
 {
 	if (c >= 'a' && c <= 'f')
 		return 10 + c - 'a';
 	else if (c >= 'A' && c <= 'F')
 		return 10 + c - 'A';
 	else if (c >= '0' && c <= '9')
 		return c - '0';
 	else
 		return -1;
 }
 
 char *convert_query_hexchar(char *txt)
 {
-	int d1, d2;
-	if (strlen(txt) < 3) {
+	int d1, d2, n;
+	n = strlen(txt);
+	if (n < 3) {
 		*txt = '\0';
 		return txt-1;
 	}
 	d1 = hextoint(*(txt+1));
 	d2 = hextoint(*(txt+2));
 	if (d1<0 || d2<0) {
-		strcpy(txt, txt+3);
+		memmove(txt, txt+3, n-3);
 		return txt-1;
 	} else {
 		*txt = d1 * 16 + d2;
-		strcpy(txt+1, txt+3);
+		memmove(txt+1, txt+3, n-2);
 		return txt;
 	}
 }
 
 int http_parse_querystring(char *txt, void (*fn)(const char *name, const char *value))
 {
 	char *t, *value = NULL, c;
 
 	if (!txt)
 		return 0;
 
 	t = txt = strdup(txt);
 	if (t == NULL) {
 		printf("Out of memory\n");
 		exit(1);
 	}
 	while((c=*t) != '\0') {
 		if (c=='=') {
 			*t = '\0';
 			value = t+1;
 		} else if (c=='+') {
 			*t = ' ';
 		} else if (c=='%') {
 			t = convert_query_hexchar(t);