From 9d38fb6a704ba503c8a69dce8e26d51d2dcb1c18 Mon Sep 17 00:00:00 2001
From: Markus Uhlin <markus@nifty-networks.net>
Date: Tue, 25 Mar 2025 00:37:53 +0100
Subject: com_unalias: fixed overflowed array index read/write

---
 FICS/comproc.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'FICS')

diff --git a/FICS/comproc.c b/FICS/comproc.c
index 4f33d4c..7017aa0 100644
--- a/FICS/comproc.c
+++ b/FICS/comproc.c
@@ -1639,14 +1639,32 @@ com_unalias(int p, param_list param)
 		pprintf(p, "You have no alias named '%s'.\n",
 		    param[0].val.word);
 	} else {
+		bool		removed = false;
+		const int	sz = (int) ARRAY_SIZE(parray[0].alias_list);
+
 		rfree(parray[p].alias_list[al].comm_name);
 		rfree(parray[p].alias_list[al].alias);
 
+		parray[p].alias_list[al].comm_name = NULL;
+		parray[p].alias_list[al].alias = NULL;
+
 		for (int i = al; i < parray[p].numAlias; i++) {
+			if (i >= sz || i + 1 >= sz) {
+				warnx("%s: overflowed array index read/write",
+				    __func__);
+				break;
+			}
+
 			parray[p].alias_list[i].comm_name =
 			    parray[p].alias_list[i + 1].comm_name;
 			parray[p].alias_list[i].alias =
 			    parray[p].alias_list[i + 1].alias;
+			removed = true;
+		}
+
+		if (!removed) {
+			pprintf(p, "Remove error.\n");
+			return COM_FAILED;
 		}
 
 		parray[p].numAlias--;
-- 
cgit v1.2.3