1 files changed, 40 insertions, 19 deletions

diff --git a/FICS/playerdb.c b/FICS/playerdb.c
index 238425a..309a8fc 100644
--- a/FICS/playerdb.c
+++ b/FICS/playerdb.c
@@ -38,6 +38,11 @@
    Markus Uhlin                 25/02/11	Calc string length once
    Markus Uhlin                 25/03/22	Fixed overflowed return value in
 						player_search().
+   Markus Uhlin                 25/03/23	Fixed overflowed array index
+						read/write.
+   Markus Uhlin                 25/03/29	player_remove_request:
+						fixed overflowed array index
+						read/write.
 */
 
 #include "stdinclude.h"
@@ -1804,10 +1809,10 @@ player_remove_pendto(int p, int p1, int type)
 		removed = true;
 	}
 
-	if (removed)
-		parray[p].num_to -= 1;
+	UNUSED_VAR(removed);
+	parray[p].num_to -= 1;
 
-	return (removed ? 0 : -1);
+	return (0);
 }
 
 PUBLIC int
@@ -1867,10 +1872,10 @@ player_remove_pendfrom(int p, int p1, int type)
 		removed = true;
 	}
 
-	if (removed)
-		parray[p].num_from -= 1;
+	UNUSED_VAR(removed);
+	parray[p].num_from -= 1;
 
-	return (removed ? 0 : -1);
+	return (0);
 }
 
 PUBLIC int
@@ -1905,28 +1910,44 @@ player_add_request(int p, int p1, int type, int param)
 PUBLIC int
 player_remove_request(int p, int p1, int type)
 {
-	int to = 0, from = 0;
+	bool	removed;
+	int	to = 0, from = 0;
+
+	while (to != -1 && (to = player_find_pendto(p, p1, type)) != -1) {
+		removed = false;
 
-	while (to != -1) {
-		if ((to = player_find_pendto(p, p1, type)) != -1) {
-			for (; to < parray[p].num_to - 1; to++) {
-				parray[p].p_to_list[to] =
-				    parray[p].p_to_list[to + 1];
+		for (; to < parray[p].num_to - 1; to++) {
+			if (to + 1 >= (int)ARRAY_SIZE(parray[0].p_to_list)) {
+				warnx("%s: overflowed array index read/write",
+				    __func__);
+				break;
 			}
 
-			parray[p].num_to = (parray[p].num_to - 1);
+			parray[p].p_to_list[to] = parray[p].p_to_list[to + 1];
+			removed = true;
 		}
+
+		UNUSED_VAR(removed);
+		parray[p].num_to -= 1;
 	}
 
-	while (from != -1) {
-		if ((from = player_find_pendfrom(p1, p, type)) != -1) {
-			for (; from < parray[p1].num_from - 1; from++) {
-				parray[p1].p_from_list[from] =
-				    parray[p1].p_from_list[from + 1];
+	while (from != -1 && (from = player_find_pendfrom(p1, p, type)) != -1) {
+		removed = false;
+
+		for (; from < parray[p1].num_from - 1; from++) {
+			if (from + 1 >= (int)ARRAY_SIZE(parray[0].p_from_list)) {
+				warnx("%s: overflowed array index read/write",
+				    __func__);
+				break;
 			}
 
-			parray[p1].num_from = (parray[p1].num_from - 1);
+			parray[p1].p_from_list[from] =
+			    parray[p1].p_from_list[from + 1];
+			removed = true;
 		}
+
+		UNUSED_VAR(removed);
+		parray[p1].num_from -= 1;
 	}
 
 	if ((type == PEND_ALL || type == PEND_MATCH) && parray[p].partner >= 0)