From d713801445fbe91f37eda8f946b35d2f53290c7d Mon Sep 17 00:00:00 2001
From: Jim Paris <jim@jtan.com>
Date: Mon, 7 Oct 2019 10:03:29 -0400
Subject: [PATCH] Fix buffer overflow in _cbor_value_copy_string

The function is documented to only null-terminate when the buffer is
big enough to allow it.  Both upstream intel/tinycbor and mynewt's
version do this correctly.
---
 src/cborparser.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/cborparser.c b/src/cborparser.c
index 9ebc7056..49341ae3 100644
--- a/src/cborparser.c
+++ b/src/cborparser.c
@@ -1293,6 +1293,7 @@ CborError _cbor_value_copy_string(const CborValue *value, void *buffer,
                                  size_t *buflen, CborValue *next)
 {
     bool copied_all;
+    size_t maxlen = *buflen;
     CborError err = iterate_string_chunks(value, (char*)buffer, buflen, &copied_all, next,
                                           buffer ? (IterateFunction) value->parser->d->cpy : iterate_noop);
     if (err) {
@@ -1303,7 +1304,7 @@ CborError _cbor_value_copy_string(const CborValue *value, void *buffer,
         return CborErrorOutOfMemory;
     }
 
-    if (buffer) {
+    if (buffer && *buflen < maxlen) {
         *((uint8_t *)buffer + *buflen) = '\0';
     }