The solution exploits a bug in strncpy (the SSE version) where strings may be prematurely terminated during copy if called with MAX_LENGTH.
I found the bug with AFL and it was trivial to exploit after finding a crashing input.

Afterwards, I investigated the bug and found the root cause: integer overflow when performing alignment checks in the copy part of the function.

Full writeup here: [https://ctf.harrisongreen.me/2019/hxpctf/flag_concat/](https://ctf.harrisongreen.me/2019/hxpctf/flag_concat/)