1 files changed, 32 insertions, 14 deletions

diff --git a/FICS/gamedb.c b/FICS/gamedb.c
index a34fd89..7d094c2 100644
--- a/FICS/gamedb.c
+++ b/FICS/gamedb.c
@@ -39,6 +39,9 @@
    Markus Uhlin			25/03/18	Fixed unchecked return values
    Markus Uhlin			25/03/25	ReadGameState: fixed truncated
 						stdio return value.
+   Markus Uhlin			25/04/01	Fixed call of risky function
+   Markus Uhlin			25/04/01	ReadV1GameFmt: guard num half
+						moves.
 */
 
 #include "stdinclude.h"
@@ -46,6 +49,7 @@
 
 #include <err.h>
 #include <errno.h>
+#include <limits.h>
 
 #include "command.h"
 #include "config.h"
@@ -1319,6 +1323,12 @@ ReadV1GameFmt(game *g, FILE *fp, const char *file, int version)
 	if (ret[0] != 4 || ret[1] != 1) {
 		warnx("%s: fscanf error: %s", __func__, file);
 		return -1;
+	} else if (g->numHalfMoves < 0 || (size_t)g->numHalfMoves >
+	    INT_MAX / sizeof(move_t)) {
+		warnx("%s: warning: num half moves out-of-bounds (%d)",
+		    __func__,
+		    g->numHalfMoves);
+		return -1;
 	}
 
 	if (ReadV1Moves(g, fp) != 0) {
@@ -1844,38 +1854,46 @@ write_g_out(int g, char *file, int maxlines, int isDraw, char *EndSymbol,
  * Find from_spot in journal list - return 0 if corrupted
  */
 PUBLIC int
-journal_get_info(int p, char from_spot, char *WhiteName, int *WhiteRating,
-    char *BlackName, int *BlackRating, char *type, int *t, int *i, char *eco,
-    char *ending, char *result, char *fname)
+journal_get_info(struct JGI_context *ctx, const char *fname)
 {
 	FILE	*fp;
 	char	 count;
 
 	if ((fp = fopen(fname, "r")) == NULL) {
 		fprintf(stderr, "Corrupt journal file! %s\n", fname);
-		pprintf(p, "The journal file is corrupt! See an admin.\n");
+		pprintf(ctx->p, "The journal file is corrupt! See an admin.\n");
 		return 0;
 	}
 
 	while (!feof(fp)) {
-		if (fscanf(fp, "%c %s %d %s %d %s %d %d %s %s %s\n",
+		_Static_assert(ARRAY_SIZE(ctx->WhiteName) > 20,
+		    "'WhiteName' too small");
+		_Static_assert(ARRAY_SIZE(ctx->BlackName) > 20,
+		    "'BlackName' too small");
+
+		_Static_assert(ARRAY_SIZE(ctx->type) > 99,   "'type' too small");
+		_Static_assert(ARRAY_SIZE(ctx->eco) > 99,    "'eco' too small");
+		_Static_assert(ARRAY_SIZE(ctx->ending) > 99, "'ending' too small");
+		_Static_assert(ARRAY_SIZE(ctx->result) > 99, "'result' too small");
+
+		if (fscanf(fp, "%c %20s %d %20s %d %99s %d %d %99s %99s %99s\n",
 		    &count,
-		    WhiteName, &(*WhiteRating),
-		    BlackName, &(*BlackRating),
-		    type,
-		    &(*t), &(*i),
-		    eco,
-		    ending,
-		    result) != 11) {
+		    ctx->WhiteName, &ctx->WhiteRating,
+		    ctx->BlackName, &ctx->BlackRating,
+		    ctx->type,
+		    &ctx->t, &ctx->i,
+		    ctx->eco,
+		    ctx->ending,
+		    ctx->result) != 11) {
 			fprintf(stderr, "FICS: Error in journal info format. "
 			    "%s\n", fname);
-			pprintf(p, "The journal file is corrupt! Error in "
+			pprintf(ctx->p, "The journal file is corrupt! Error in "
 			    "internal format.\n");
 			fclose(fp);
 			return 0;
 		}
 
-		if (tolower(count) == from_spot) {
+		if (tolower(count) == ctx->from_spot) {
 			fclose(fp);
 			return 1;
 		}