- fix buffer overflow (due to some invalid friend file containing very long id)

git-svn-id: http://opensvn.csie.org/pttbbs/trunk/pttbbs@4015 63ad8ddf-47c3-0310-b6dd-a9e9d9715204

1 files changed, 5 insertions, 3 deletions

diff --git a/mbbsd/friend.c b/mbbsd/friend.c
index 4fbc0be3..e5d9776d 100644
--- a/mbbsd/friend.c
+++ b/mbbsd/friend.c
@@ -202,15 +202,17 @@ delete_friend_from_file(const char *file, const char *string, int  case_sensitiv
 {
     FILE *fp = NULL, *nfp = NULL;
     char fnew[PATHLEN];
-    char genbuf[STRLEN + 1];
+    char genbuf[STRLEN + 1], buf[STRLEN];
     int ret = 0;
 
-    sprintf(fnew, "%s.%3.3X", file, (unsigned int)(random() & 0xFFF));
+    snprintf(fnew, sizeof(fnew), "%s.%3.3X", file, (unsigned int)(random() & 0xFFF));
     if ((fp = fopen(file, "r")) && (nfp = fopen(fnew, "w"))) {
 	while (fgets(genbuf, sizeof(genbuf), fp))
 	    if ((genbuf[0] > ' ')) {
-		char buf[32];
+		// prevent buffer overflow
+		genbuf[sizeof(genbuf)-1] =0;
 		sscanf(genbuf, " %s", buf);
+		genbuf[sizeof(buf)-1] =0;
 		if (((case_sensitive && strcmp(buf, string)) ||
 		    (!case_sensitive && strcasecmp(buf, string))))
     		    fputs(genbuf, nfp);