2 files changed, 27 insertions, 2 deletions

diff --git a/FICS/gamedb.c b/FICS/gamedb.c
index ce0842c..7d094c2 100644
--- a/FICS/gamedb.c
+++ b/FICS/gamedb.c
@@ -40,6 +40,8 @@
    Markus Uhlin			25/03/25	ReadGameState: fixed truncated
 						stdio return value.
    Markus Uhlin			25/04/01	Fixed call of risky function
+   Markus Uhlin			25/04/01	ReadV1GameFmt: guard num half
+						moves.
 */
 
 #include "stdinclude.h"
diff --git a/FICS/playerdb.c b/FICS/playerdb.c
index 309a8fc..06694ab 100644
--- a/FICS/playerdb.c
+++ b/FICS/playerdb.c
@@ -43,6 +43,8 @@
    Markus Uhlin                 25/03/29	player_remove_request:
 						fixed overflowed array index
 						read/write.
+   Markus Uhlin                 25/04/02	add_to_list: added an upper
+						limit for the list size.
 */
 
 #include "stdinclude.h"
@@ -409,10 +411,14 @@ add_to_list(FILE *fp, enum ListWhich lw, int *size, int p)
 
 #define SCAN_STR "%1023s"
 
-	if (*size <= 0)
-		return -2;
+	if (*size <= 0 || *size > MAX_GLOBAL_LIST_SIZE) {
+		warnx("%s: illegal list size (%d)", __func__, *size);
+		return -1;
+	}
+
 	while ((*size)-- > 0 && fscanf(fp, SCAN_STR, buf) == 1)
 		list_add(p, lw, buf);
+
 	return (*size <= 0 ? 0 : -1);
 }
 
@@ -578,6 +584,23 @@ ReadV1PlayerFmt(int p, player *pp, FILE *fp, char *file, int version)
 	pp->timeOfReg = array[0];
 	pp->totalTime = array[1];
 
+	if (pp->num_plan > MAX_PLAN) {
+		warnx("Player %s is corrupt\nToo many plans (%d)",
+		   parray[p].name,
+		   pp->num_plan);
+		return;
+	} else if (pp->num_formula > MAX_FORMULA) {
+		warnx("Player %s is corrupt\nToo many formulas (%d)",
+		   parray[p].name,
+		   pp->num_formula);
+		return;
+	} else if (pp->numAlias > MAX_ALIASES) {
+		warnx("Player %s is corrupt\nToo many aliases (%d)",
+		    parray[p].name,
+		    pp->numAlias);
+		return;
+	}
+
 	if (pp->num_plan > 0) {
 		for (i = 0; i < pp->num_plan; i++) {
 			if (fgets(tmp2, sizeof tmp2, fp) == NULL) {