Fix an overflow bug in @search.

pennmush · Oct 10, 2018 · 20794ea · 20794ea
1 parent 602c88d
commit 20794ea
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/CHANGES.188.md b/CHANGES.188.md
@@ -61,3 +61,4 @@ Fixes
 
 * `add_function` in .cnf files was not properly using the upper case'd string. [#1223, MT]
 * Various PCRE calls in the softcode have had CPU time limit watchdogs added. Discovered by Ashen-Shugar. [GM]
+* Fixed a potential overflow bug in `@search`. Reported by eery. [MG]
diff --git a/src/wiz.c b/src/wiz.c
@@ -1268,9 +1268,13 @@ do_search(dbref player, const char *arg1, char **arg3)
 
     myargs[0] = arg2;
     myargs[1] = arg3[1];
-    for (i = 2; i < INT_MAX && (arg3[i] != NULL); i++) {
+    for (i = 2; i < INT_MAX && (arg3[i] != NULL) && j < MAX_ARG; i++) {
       if ((s = strchr(arg3[i], '='))) {
         *s++ = '\0';
+        if (j == MAX_ARG - 1) {
+          /* Not enough room for arg and value */
+          break;
+        }
         myargs[j++] = arg3[i];
         myargs[j++] = s;
       } else {