player_remove_request: fixed overflowed array index read/write

1 files changed, 24 insertions, 3 deletions

diff --git a/FICS/playerdb.c b/FICS/playerdb.c
index e142a83..cb00fb9 100644
--- a/FICS/playerdb.c
+++ b/FICS/playerdb.c
@@ -1907,23 +1907,44 @@ player_add_request(int p, int p1, int type, int param)
 PUBLIC int
 player_remove_request(int p, int p1, int type)
 {
-	int to = 0, from = 0;
+	bool	removed;
+	int	to = 0, from = 0;
 
 	while ((to = player_find_pendto(p, p1, type)) != -1) {
+		removed = false;
+
 		for (; to < parray[p].num_to - 1; to++) {
+			if (to + 1 >= (int)ARRAY_SIZE(parray[0].p_to_list)) {
+				warnx("%s: overflowed array index read/write",
+				    __func__);
+				break;
+			}
+
 			parray[p].p_to_list[to] = parray[p].p_to_list[to + 1];
+			removed = true;
 		}
 
-		parray[p].num_to = (parray[p].num_to - 1);
+		if (removed)
+			parray[p].num_to -= 1;
 	}
 
 	while ((from = player_find_pendfrom(p1, p, type)) != -1) {
+		removed = false;
+
 		for (; from < parray[p1].num_from - 1; from++) {
+			if (from + 1 >= (int)ARRAY_SIZE(parray[0].p_from_list)) {
+				warnx("%s: overflowed array index read/write",
+				    __func__);
+				break;
+			}
+
 			parray[p1].p_from_list[from] =
 			    parray[p1].p_from_list[from + 1];
+			removed = true;
 		}
 
-		parray[p1].num_from = (parray[p1].num_from - 1);
+		if (removed)
+			parray[p1].num_from -= 1;
 	}
 
 	if ((type == PEND_ALL || type == PEND_MATCH) && parray[p].partner >= 0)