REVIEWED: Potential security concerns while copying unbounded text data between strings

Note that issue has been reported by CodeQL static analysis system

src/platforms/rcore_desktop_glfw.c

@@ -1962,7 +1962,7 @@ static void WindowDropCallback(GLFWwindow *window, int count, const char **paths
         for (unsigned int i = 0; i < CORE.Window.dropFileCount; i++)
         {
             CORE.Window.dropFilepaths[i] = (char *)RL_CALLOC(MAX_FILEPATH_LENGTH, sizeof(char));
-            strcpy(CORE.Window.dropFilepaths[i], paths[i]);
+            strncpy(CORE.Window.dropFilepaths[i], paths[i], MAX_FILEPATH_LENGTH - 1);
         }
     }
 }

src/platforms/rcore_desktop_sdl.c

@@ -1431,9 +1431,9 @@ void PollInputEvents(void)
                     // Event memory is now managed by SDL, so you should not free the data in SDL_EVENT_DROP_FILE, 
                     // and if you want to hold onto the text in SDL_EVENT_TEXT_EDITING and SDL_EVENT_TEXT_INPUT events, 
                     // you should make a copy of it. SDL_TEXTINPUTEVENT_TEXT_SIZE is no longer necessary and has been removed
-                    strcpy(CORE.Window.dropFilepaths[CORE.Window.dropFileCount], event.drop.data);
+                    strncpy(CORE.Window.dropFilepaths[CORE.Window.dropFileCount], event.drop.data, MAX_FILEPATH_LENGTH - 1);
                 #else
-                    strcpy(CORE.Window.dropFilepaths[CORE.Window.dropFileCount], event.drop.file);
+                    strncpy(CORE.Window.dropFilepaths[CORE.Window.dropFileCount], event.drop.file, MAX_FILEPATH_LENGTH - 1);
                     SDL_free(event.drop.file);
                 #endif
 
@@ -1444,9 +1444,9 @@ void PollInputEvents(void)
                     CORE.Window.dropFilepaths[CORE.Window.dropFileCount] = (char *)RL_CALLOC(MAX_FILEPATH_LENGTH, sizeof(char));
 
                 #if defined(USING_VERSION_SDL3)
-                    strcpy(CORE.Window.dropFilepaths[CORE.Window.dropFileCount], event.drop.data);
+                    strncpy(CORE.Window.dropFilepaths[CORE.Window.dropFileCount], event.drop.data, MAX_FILEPATH_LENGTH - 1);
                 #else
-                    strcpy(CORE.Window.dropFilepaths[CORE.Window.dropFileCount], event.drop.file);
+                    strncpy(CORE.Window.dropFilepaths[CORE.Window.dropFileCount], event.drop.file, MAX_FILEPATH_LENGTH - 1);
                     SDL_free(event.drop.file);
                 #endif
 

src/platforms/rcore_web.c

@@ -1531,7 +1531,7 @@ static void WindowDropCallback(GLFWwindow *window, int count, const char **paths
         for (unsigned int i = 0; i < CORE.Window.dropFileCount; i++)
         {
             CORE.Window.dropFilepaths[i] = (char *)RL_CALLOC(MAX_FILEPATH_LENGTH, sizeof(char));
-            strcpy(CORE.Window.dropFilepaths[i], paths[i]);
+            strncpy(CORE.Window.dropFilepaths[i], paths[i], MAX_FILEPATH_LENGTH - 1);
         }
     }
 }

src/platforms/rcore_web_emscripten.c

@@ -1387,7 +1387,7 @@ static void WindowDropCallback(GLFWwindow *window, int count, const char **paths
         for (unsigned int i = 0; i < CORE.Window.dropFileCount; i++)
         {
             CORE.Window.dropFilepaths[i] = (char *)RL_CALLOC(MAX_FILEPATH_LENGTH, sizeof(char));
-            strcpy(CORE.Window.dropFilepaths[i], paths[i]);
+            strncpy(CORE.Window.dropFilepaths[i], paths[i], MAX_FILEPATH_LENGTH - 1);
         }
     }
 }

src/rtext.c

@@ -1597,14 +1597,13 @@ float TextToFloat(const char *text)
 
 #if defined(SUPPORT_TEXT_MANIPULATION)
 // Copy one string to another, returns bytes copied
+// NOTE: Alternative implementation to strcpy(dst, src) from C standard library
 int TextCopy(char *dst, const char *src)
 {
     int bytes = 0;
 
     if ((src != NULL) && (dst != NULL))
     {
-        // NOTE: Alternative: use strcpy(dst, src)
-
         while (*src != '\0')
         {
             *dst = *src;
@@ -1717,11 +1716,13 @@ char *TextReplace(const char *text, const char *search, const char *replacement)
     {
         char *insertPoint = NULL;   // Next insert point
         char *temp = NULL;          // Temp pointer
+        int textLen = 0;            // Text string length
         int searchLen = 0;          // Search string length of (the string to remove)
         int replaceLen = 0;         // Replacement length (the string to replace by)
         int lastReplacePos = 0;     // Distance between next search and end of last replace
         int count = 0;              // Number of replacements
 
+        textLen = TextLength(text);
         searchLen = TextLength(search);
         if (searchLen == 0) return NULL;  // Empty search causes infinite loop during count
 
@@ -1732,7 +1733,8 @@ char *TextReplace(const char *text, const char *search, const char *replacement)
         for (count = 0; (temp = strstr(insertPoint, search)); count++) insertPoint = temp + searchLen;
 
         // Allocate returning string and point temp to it
-        temp = result = (char *)RL_MALLOC(TextLength(text) + (replaceLen - searchLen)*count + 1);
+        int tempLen = textLen + (replaceLen - searchLen)*count + 1;
+        temp = result = (char *)RL_MALLOC(tempLen);
 
         if (!result) return NULL;   // Memory could not be allocated
 
@@ -1744,13 +1746,16 @@ char *TextReplace(const char *text, const char *search, const char *replacement)
         {
             insertPoint = (char *)strstr(text, search);
             lastReplacePos = (int)(insertPoint - text);
-            temp = strncpy(temp, text, lastReplacePos) + lastReplacePos;
-            temp = strcpy(temp, replacement) + replaceLen;
+            temp = strncpy(temp, text, tempLen - 1) + lastReplacePos;
+            tempLen -= lastReplacePos;
+            temp = strncpy(temp, replacement, tempLen - 1) + replaceLen;
+            tempLen -= replaceLen;
+            
             text += lastReplacePos + searchLen; // Move to next "end of replace"
         }
 
         // Copy remaind text part after replacement to result (pointed by moving temp)
-        strcpy(temp, text);
+        strncpy(temp, text, tempLen - 1);
     }
 
     return result;