From 2946ce055c142319dddba7b20d8839146817d6ee Mon Sep 17 00:00:00 2001
From: Paulo Cabral Sanz <paulosanz@poli.ufrj.br>
Date: Thu, 8 Jul 2021 20:35:09 -0300
Subject: [PATCH] Avoid copying past end of buffer in String.concat (#8198)

---
 cores/esp8266/WString.cpp       |  2 +-
 tests/host/core/test_string.cpp | 10 ++++++++++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/cores/esp8266/WString.cpp b/cores/esp8266/WString.cpp
index d833509a1..6e6dc94be 100644
--- a/cores/esp8266/WString.cpp
+++ b/cores/esp8266/WString.cpp
@@ -305,7 +305,7 @@ bool String::concat(const char *cstr, unsigned int length) {
         return true;
     if (!reserve(newlen))
         return false;
-    memmove_P(wbuffer() + len(), cstr, length + 1);
+    memmove_P(wbuffer() + len(), cstr, length);
     setLen(newlen);
     wbuffer()[newlen] = 0;
     return true;
diff --git a/tests/host/core/test_string.cpp b/tests/host/core/test_string.cpp
index 619313270..cd844545d 100644
--- a/tests/host/core/test_string.cpp
+++ b/tests/host/core/test_string.cpp
@@ -594,3 +594,13 @@ TEST_CASE("String chaining", "[core][String]")
     REQUIRE(static_cast<const void*>(result.c_str()) == static_cast<const void*>(ptr));
   }
 }
+
+TEST_CASE("String concat OOB #8198", "[core][String]")
+{
+    char *p = (char*)malloc(16);
+    memset(p, 'x', 16);
+    String s = "abcd";
+    s.concat(p, 16);
+    REQUIRE(!strcmp(s.c_str(), "abcdxxxxxxxxxxxxxxxx"));
+    free(p);
+}