aboutsummaryrefslogtreecommitdiffstats
path: root/FICS/comproc.c
diff options
context:
space:
mode:
Diffstat (limited to 'FICS/comproc.c')
-rw-r--r--FICS/comproc.c20
1 files changed, 20 insertions, 0 deletions
diff --git a/FICS/comproc.c b/FICS/comproc.c
index 4f33d4c..31f6064 100644
--- a/FICS/comproc.c
+++ b/FICS/comproc.c
@@ -41,6 +41,8 @@
value 'rat' in who_terse().
Markus Uhlin 25/03/16 Fixed use of 32-bit 'time_t'.
Markus Uhlin 25/03/16 Fixed untrusted array index.
+ Markus Uhlin 25/03/25 com_unalias: fixed overflowed
+ array index read/write.
*/
#include "stdinclude.h"
@@ -1639,14 +1641,32 @@ com_unalias(int p, param_list param)
pprintf(p, "You have no alias named '%s'.\n",
param[0].val.word);
} else {
+ bool removed = false;
+ const int sz = (int) ARRAY_SIZE(parray[0].alias_list);
+
rfree(parray[p].alias_list[al].comm_name);
rfree(parray[p].alias_list[al].alias);
+ parray[p].alias_list[al].comm_name = NULL;
+ parray[p].alias_list[al].alias = NULL;
+
for (int i = al; i < parray[p].numAlias; i++) {
+ if (i >= sz || i + 1 >= sz) {
+ warnx("%s: overflowed array index read/write",
+ __func__);
+ break;
+ }
+
parray[p].alias_list[i].comm_name =
parray[p].alias_list[i + 1].comm_name;
parray[p].alias_list[i].alias =
parray[p].alias_list[i + 1].alias;
+ removed = true;
+ }
+
+ if (!removed) {
+ pprintf(p, "Remove error.\n");
+ return COM_FAILED;
}
parray[p].numAlias--;
generated by cgit v1.2.3 (git 2.25.1) at 2025-03-28 01:56:47 +0000