Avoid underflow in strlcpy and strlcat wrappers when count is zero

We can't decrement n because it's unsigned and might be zero which
means it would wrap and we'd wind up reading far too much.

Fixes BZ#208052

diff --git a/shared/vg_replace_strmem.c b/shared/vg_replace_strmem.c
index 71c7e568c13ea921e329cef5febd2ee72eba4dcb..6c946ce44fefa1917dd76627b29f0dfbbb96f7a6 100644 (file)
--- a/shared/vg_replace_strmem.c
+++ b/shared/vg_replace_strmem.c
@@ -377,7 +377,7 @@ static inline void my_exit ( int x )
       while (m < n && *dst) { m++; dst++; } \
       if (m < n) { \
          /* Fill as far as dst_orig[n-2], then nul-terminate. */ \
-         while (m < n-1 && *src) { m++; *dst++ = *src++; } \
+         while (m+1 < n && *src) { m++; *dst++ = *src++; } \
          *dst = 0; \
       } else { \
          /* No space to copy anything to dst. m == n */ \
@@ -580,7 +580,7 @@ static inline void my_exit ( int x )
       \
       STRLCPY_CHECK_FOR_DSTSIZE_ZERO \
       \
-      while (m < n-1 && *src) { m++; *dst++ = *src++; } \
+      while (m+1 < n && *src) { m++; *dst++ = *src++; } \
       /* m non-nul bytes have now been copied, and m <= n-1. */ \
       /* Check for overlap after copying; all n bytes of dst are relevant, */ \
       /* but only m+1 bytes of src if terminator was found */ \