diff options
Diffstat (limited to 'FICS/playerdb.c')
| -rw-r--r-- | FICS/playerdb.c | 40 |
1 files changed, 29 insertions, 11 deletions
diff --git a/FICS/playerdb.c b/FICS/playerdb.c index 2b8ef04..2fbc975 100644 --- a/FICS/playerdb.c +++ b/FICS/playerdb.c @@ -49,6 +49,8 @@ Markus Uhlin 25/07/28 Restricted file permissions upon creation. Markus Uhlin 25/07/30 Usage of 'int64_t'. + Markus Uhlin 25/11/02 Added overflow checks for array + indices. */ #include "stdinclude.h" @@ -1085,8 +1087,8 @@ player_read(int p, char *name) char line[MAX_LINE_SIZE] = { '\0' }; char *attr, *value; char *resolvedPath = NULL; - int len = 0; int version = 0; + size_t len = 0; parray[p].login = stolower(xstrdup(name)); // free on error? @@ -2072,17 +2074,25 @@ player_decline_offers(int p, int p1, int offerType) } while ((offer = player_find_pendfrom(p, p1, offerType)) >= 0) { + if (offer >= (int)ARRAY_SIZE(parray[0].p_from_list)) { + warnx("%s: 'offer' too large", __func__); + break; + } + type = parray[p].p_from_list[offer].type; p2 = parray[p].p_from_list[offer].whofrom; p2Name = parray[p2].name; - part = parray[p].partner; - if (part >= 0 && parray[part].partner != p) + if ((part = parray[p].partner) >= (int)ARRAY_SIZE(parray)) { + errx(1, "%s: 'part' (%d) too large", __func__, + part); + } else if (part >= 0 && parray[part].partner != p) part = -1; - p2part = parray[p2].partner; - - if (p2part >= 0 && parray[p2part].partner != p2) + if ((p2part = parray[p2].partner) >= (int)ARRAY_SIZE(parray)) { + errx(1, "%s: 'p2part' (%d) too large", __func__, + p2part); + } else if (p2part >= 0 && parray[p2part].partner != p2) p2part = -1; switch (type) { @@ -2185,17 +2195,25 @@ player_withdraw_offers(int p, int p1, int offerType) } while ((offer = player_find_pendto(p, p1, offerType)) >= 0) { + if (offer >= (int)ARRAY_SIZE(parray[0].p_to_list)) { + warnx("%s: 'offer' too large", __func__); + break; + } + type = parray[p].p_to_list[offer].type; p2 = parray[p].p_to_list[offer].whoto; p2Name = parray[p2].name; - part = parray[p].partner; - if (part >= 0 && parray[part].partner != p) + if ((part = parray[p].partner) >= (int)ARRAY_SIZE(parray)) { + errx(1, "%s: 'part' (%d) too large", __func__, + part); + } else if (part >= 0 && parray[part].partner != p) part = -1; - p2part = parray[p2].partner; - - if (p2part >= 0 && parray[p2part].partner != p2) + if ((p2part = parray[p2].partner) >= (int)ARRAY_SIZE(parray)) { + errx(1, "%s: 'p2part' (%d) too large", __func__, + p2part); + } else if (p2part >= 0 && parray[p2part].partner != p2) p2part = -1; switch (type) { |