From 417de0bdfedecc2b5d9c406eb83a9d22d479c847 Mon Sep 17 00:00:00 2001
From: Markus Uhlin <markus@nifty-networks.net>
Date: Wed, 8 Apr 2026 01:36:12 +0200
Subject: Handle snprintf() truncation

---
 FICS/comproc.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

(limited to 'FICS')

diff --git a/FICS/comproc.c b/FICS/comproc.c
index e7fb4fa..25e3557 100644
--- a/FICS/comproc.c
+++ b/FICS/comproc.c
@@ -1942,7 +1942,7 @@ com_mailsource(int p, param_list param)
 	char		*iwant;
 	char		 fname[MAX_FILENAME_SIZE] = { '\0' };
 	char		 subj[120] = { '\0' };
-	int		 count;
+	int		 count, ret;
 
 	if (!parray[p].registered) {
 		pprintf(p, "Only registered people can use the mailsource "
@@ -1964,10 +1964,15 @@ com_mailsource(int p, param_list param)
 		    "server %s: %s",
 		    fics_hostname,
 		    *buffer);
-		snprintf(fname, sizeof fname, "%s/%s",
+		ret = snprintf(fname, sizeof fname, "%s/%s",
 		    source_dir,
 		    *buffer);
 
+		if (is_too_long(ret, sizeof fname)) {
+			warnx("%s: too long filename", __func__);
+			return COM_FAILED;
+		}
+
 		mail_file_to_user(p, subj, fname);
 
 		pprintf(p, "Source file %s sent to %s\n", *buffer,
@@ -2004,7 +2009,7 @@ com_mailhelp(int p, param_list param)
 	char		*iwant;
 	char		 fname[MAX_FILENAME_SIZE] = { '\0' };
 	char		 subj[120] = { '\0' };
-	int		 count;
+	int		 count, ret;
 	int		 lang = parray[p].language;
 
 	if (!parray[p].registered) {
@@ -2042,10 +2047,15 @@ com_mailhelp(int p, param_list param)
 		    "server %s: %s",
 		    fics_hostname,
 		    *buffer);
-		snprintf(fname, sizeof fname, "%s/%s",
+		ret = snprintf(fname, sizeof fname, "%s/%s",
 		    help_dir[lang],
 		    *buffer);
 
+		if (is_too_long(ret, sizeof fname)) {
+			warnx("%s: too long filename", __func__);
+			return COM_FAILED;
+		}
+
 		mail_file_to_user(p, subj, fname);
 
 		pprintf(p, "Help file %s sent to %s\n", *buffer,
-- 
cgit v1.2.3