From 06e795a034dc3ef9ba0980b868686b5b3e15509f Mon Sep 17 00:00:00 2001
From: Markus Uhlin <markus@nifty-networks.net>
Date: Sat, 4 Apr 2026 02:15:13 +0200
Subject: com_stats_andify: bounds check 'p_howmany'

---
 FICS/comproc.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'FICS')

diff --git a/FICS/comproc.c b/FICS/comproc.c
index 1cea82b..b11f564 100644
--- a/FICS/comproc.c
+++ b/FICS/comproc.c
@@ -89,6 +89,9 @@
 #include <bsd/string.h>
 #endif
 
+#define NUMBERS_SIZE \
+	(MAX_OBSERVE > MAX_SIMUL ? MAX_OBSERVE : MAX_SIMUL)
+
 #define WHO_OPEN         0x01
 #define WHO_CLOSED       0x02
 #define WHO_RATED        0x04
@@ -392,6 +395,11 @@ com_stats_andify(int *numbers, int p_howmany, char *dest, size_t dsize)
 
 	*dest = '\0';
 
+	if (p_howmany < 0 || p_howmany >= NUMBERS_SIZE) {
+		warnx("%s: integer out of bounds", __func__);
+		return;
+	}
+
 	while (p_howmany--) {
 		snprintf(tmp, sizeof tmp, "%d", numbers[p_howmany]);
 		strlcat(dest, tmp, dsize);
@@ -447,8 +455,6 @@ com_stats_rating(char *hdr, statistics *stats, char *dest, const size_t dsize)
 PUBLIC int
 com_stats(int p, param_list param)
 {
-#define NUMBERS_SIZE \
-	(MAX_OBSERVE > MAX_SIMUL ? MAX_OBSERVE : MAX_SIMUL)
 	char		 line[255] = { '\0' };
 	char		 tmp[255] = { '\0' };
 	int		 g, i, t;
-- 
cgit v1.2.3