1 files changed, 34 insertions, 9 deletions

diff --git a/FICS/playerdb.c b/FICS/playerdb.c
index a892e3d..cda4e1a 100644
--- a/FICS/playerdb.c
+++ b/FICS/playerdb.c
@@ -36,6 +36,10 @@
    Markus Uhlin                 24/12/02	Made many improvements
    Markus Uhlin                 24/12/04	Added player number checks
    Markus Uhlin                 25/02/11	Calc string length once
+   Markus Uhlin                 25/03/22	Fixed overflowed return value in
+						player_search().
+   Markus Uhlin                 25/03/23	Fixed overflowed array index
+						read/write.
 */
 
 #include "stdinclude.h"
@@ -1786,17 +1790,26 @@ player_new_pendto(int p)
 PUBLIC int
 player_remove_pendto(int p, int p1, int type)
 {
-	int w;
+	bool	removed = false;
+	int	w;
 
 	if ((w = player_find_pendto(p, p1, type)) < 0)
 		return -1;
 
-	for (; w < (parray[p].num_to - 1); w++)
+	for (; w < (parray[p].num_to - 1); w++) {
+		if (w + 1 >= (int)ARRAY_SIZE(parray[0].p_to_list)) {
+			warnx("%s: overflowed array index write", __func__);
+			break;
+		}
+
 		parray[p].p_to_list[w] = parray[p].p_to_list[w + 1];
+		removed = true;
+	}
 
-	parray[p].num_to = (parray[p].num_to - 1);
+	if (removed)
+		parray[p].num_to -= 1;
 
-	return 0;
+	return (removed ? 0 : -1);
 }
 
 PUBLIC int
@@ -1840,17 +1853,26 @@ player_new_pendfrom(int p)
 PUBLIC int
 player_remove_pendfrom(int p, int p1, int type)
 {
-	int w;
+	bool	removed = false;
+	int	w;
 
 	if ((w = player_find_pendfrom(p, p1, type)) < 0)
 		return -1;
 
-	for (; w < (parray[p].num_from - 1); w++)
+	for (; w < (parray[p].num_from - 1); w++) {
+		if (w + 1 >= (int)ARRAY_SIZE(parray[0].p_from_list)) {
+			warnx("%s: overflowed array index write", __func__);
+			break;
+		}
+
 		parray[p].p_from_list[w] = parray[p].p_from_list[w + 1];
+		removed = true;
+	}
 
-	parray[p].num_from = (parray[p].num_from - 1);
+	if (removed)
+		parray[p].num_from -= 1;
 
-	return 0;
+	return (removed ? 0 : -1);
 }
 
 PUBLIC int
@@ -2845,8 +2867,11 @@ player_search(int p, char *name)
 	int	 p1, count;
 
 	// Exact match with connected player?
-	if ((p1 = player_find_bylogin(name)) >= 0)
+	if ((p1 = player_find_bylogin(name)) >= 0) {
+		if (p1 + 1 >= (int)ARRAY_SIZE(parray))
+			return 0;
 		return (p1 + 1);
+	}
 
 	// Exact match with registered player?
 	snprintf(pdir, sizeof pdir, "%s/%c", player_dir, name[0]);