From 6c2eba74942c4a531fac4f7c3f2f1a46e79cc438 Mon Sep 17 00:00:00 2001
From: Markus Uhlin <markus@nifty-networks.net>
Date: Sun, 23 Mar 2025 13:09:52 +0100
Subject: Fixed overflowed array index write

---
 FICS/playerdb.c | 34 ++++++++++++++++++++++++++--------
 1 file changed, 26 insertions(+), 8 deletions(-)

diff --git a/FICS/playerdb.c b/FICS/playerdb.c
index cf7a014..238425a 100644
--- a/FICS/playerdb.c
+++ b/FICS/playerdb.c
@@ -1788,17 +1788,26 @@ player_new_pendto(int p)
 PUBLIC int
 player_remove_pendto(int p, int p1, int type)
 {
-	int w;
+	bool	removed = false;
+	int	w;
 
 	if ((w = player_find_pendto(p, p1, type)) < 0)
 		return -1;
 
-	for (; w < (parray[p].num_to - 1); w++)
+	for (; w < (parray[p].num_to - 1); w++) {
+		if (w + 1 >= (int)ARRAY_SIZE(parray[0].p_to_list)) {
+			warnx("%s: overflowed array index write", __func__);
+			break;
+		}
+
 		parray[p].p_to_list[w] = parray[p].p_to_list[w + 1];
+		removed = true;
+	}
 
-	parray[p].num_to = (parray[p].num_to - 1);
+	if (removed)
+		parray[p].num_to -= 1;
 
-	return 0;
+	return (removed ? 0 : -1);
 }
 
 PUBLIC int
@@ -1842,17 +1851,26 @@ player_new_pendfrom(int p)
 PUBLIC int
 player_remove_pendfrom(int p, int p1, int type)
 {
-	int w;
+	bool	removed = false;
+	int	w;
 
 	if ((w = player_find_pendfrom(p, p1, type)) < 0)
 		return -1;
 
-	for (; w < (parray[p].num_from - 1); w++)
+	for (; w < (parray[p].num_from - 1); w++) {
+		if (w + 1 >= (int)ARRAY_SIZE(parray[0].p_from_list)) {
+			warnx("%s: overflowed array index write", __func__);
+			break;
+		}
+
 		parray[p].p_from_list[w] = parray[p].p_from_list[w + 1];
+		removed = true;
+	}
 
-	parray[p].num_from = (parray[p].num_from - 1);
+	if (removed)
+		parray[p].num_from -= 1;
 
-	return 0;
+	return (removed ? 0 : -1);
 }
 
 PUBLIC int
-- 
cgit v1.2.3