[PATCH] d3dxof: avoid some strcpy overflows (Coverity)

[Marcus Meissner]

214462 Destination buffer too small

check the target sizes before copying over it...

Signed-off-by: Marcus Meissner <marcus at jet.franken.de>
---
 dlls/d3dxof/parsing.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/dlls/d3dxof/parsing.c b/dlls/d3dxof/parsing.c
index f7724ec..26f9d46 100644
--- a/dlls/d3dxof/parsing.c
+++ b/dlls/d3dxof/parsing.c
@@ -532,8 +532,11 @@ static BOOL is_name(parse_buffer* buf)
   buf->rem_bytes -= pos;
 
   TRACE("Found name %s\n", tmp);
+  if (strlen(tmp)+1 > sizeof(buf->value)) {
+    FIXME("name %s exceeds buffer length\n", tmp);
+    return FALSE;
+  }
   strcpy((char*)buf->value, tmp);
-
   return TRUE;
 }
 
@@ -632,6 +635,12 @@ static BOOL is_string(parse_buffer* buf)
   buf->rem_bytes -= pos + 2;
 
   TRACE("Found string %s\n", tmp);
+
+  if (strlen(tmp)+1 > sizeof(buf->value)) {
+    FIXME("name %s exceeds buffer length\n", tmp);
+    return FALSE;
+  }
+
   strcpy((char*)buf->value, tmp);
 
   return TRUE;
@@ -928,6 +937,10 @@ static BOOL parse_template_option_info(parse_buffer * buf)
     {
       if (get_TOKEN(buf) != TOKEN_NAME)
         return FALSE;
+      if (strlen((char*)buf->value)+1 > sizeof(cur_template->children[cur_template->nb_children])) {
+        FIXME("name %s too long for buffer\n", (char*)buf->value);
+        return FALSE;
+      }
       strcpy(cur_template->children[cur_template->nb_children], (char*)buf->value);
       if (check_TOKEN(buf) == TOKEN_GUID)
         get_TOKEN(buf);
@@ -990,6 +1003,10 @@ static BOOL parse_template_members_list(parse_buffer * buf)
 
     if (get_TOKEN(buf) != TOKEN_NAME)
       return FALSE;
+    if (strlen((char*)buf->value)+1 > sizeof(cur_member->name)) {
+      FIXME("name %s exceeds buffer length\n", (char*)buf->value);
+      return FALSE;
+    }
     strcpy(cur_member->name, (char*)buf->value);
 
     if (array)
-- 
2.9.3