diff options
author | Markus Uhlin <markus@nifty-networks.net> | 2025-03-29 22:03:54 +0100 |
---|---|---|
committer | Markus Uhlin <markus@nifty-networks.net> | 2025-03-29 22:03:54 +0100 |
commit | e73f3aea4d60e5f1a6b2e6a28eae2202987f6b37 (patch) | |
tree | 717c2b483ba90ac4e13092ee48d7cab951b6f390 /FICS | |
parent | 4765d8078f1886b15b3dfed858a19585c52564b9 (diff) |
player_remove_request: fixed overflowed array index read/write
Diffstat (limited to 'FICS')
-rw-r--r-- | FICS/playerdb.c | 27 |
1 files changed, 24 insertions, 3 deletions
diff --git a/FICS/playerdb.c b/FICS/playerdb.c index e142a83..cb00fb9 100644 --- a/FICS/playerdb.c +++ b/FICS/playerdb.c @@ -1907,23 +1907,44 @@ player_add_request(int p, int p1, int type, int param) PUBLIC int player_remove_request(int p, int p1, int type) { - int to = 0, from = 0; + bool removed; + int to = 0, from = 0; while ((to = player_find_pendto(p, p1, type)) != -1) { + removed = false; + for (; to < parray[p].num_to - 1; to++) { + if (to + 1 >= (int)ARRAY_SIZE(parray[0].p_to_list)) { + warnx("%s: overflowed array index read/write", + __func__); + break; + } + parray[p].p_to_list[to] = parray[p].p_to_list[to + 1]; + removed = true; } - parray[p].num_to = (parray[p].num_to - 1); + if (removed) + parray[p].num_to -= 1; } while ((from = player_find_pendfrom(p1, p, type)) != -1) { + removed = false; + for (; from < parray[p1].num_from - 1; from++) { + if (from + 1 >= (int)ARRAY_SIZE(parray[0].p_from_list)) { + warnx("%s: overflowed array index read/write", + __func__); + break; + } + parray[p1].p_from_list[from] = parray[p1].p_from_list[from + 1]; + removed = true; } - parray[p1].num_from = (parray[p1].num_from - 1); + if (removed) + parray[p1].num_from -= 1; } if ((type == PEND_ALL || type == PEND_MATCH) && parray[p].partner >= 0) |