From 312ac55f526f388f6154c9861f232659d348aae2 Mon Sep 17 00:00:00 2001
From: piaip <piaip@63ad8ddf-47c3-0310-b6dd-a9e9d9715204>
Date: Sat, 5 Jan 2008 14:24:15 +0000
Subject: - fix potential exploits (reported by kcwu)

git-svn-id: http://opensvn.csie.org/pttbbs/trunk/pttbbs@3795 63ad8ddf-47c3-0310-b6dd-a9e9d9715204
---
 mbbsd/bbslua.c |  4 ++--
 mbbsd/pfterm.c |  6 ++++++
 mbbsd/screen.c | 17 +++++++++++++++--
 3 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/mbbsd/bbslua.c b/mbbsd/bbslua.c
index 43346a19..2a1096fb 100644
--- a/mbbsd/bbslua.c
+++ b/mbbsd/bbslua.c
@@ -175,7 +175,7 @@ bl_getdata(lua_State* L)
 
 	if (n > 0)
 		len = lua_tointeger(L, 1);
-	if (n > 2)
+	if (n > 1)
 		echo = lua_tointeger(L, 2);
 
 	if (len < 2)
@@ -449,7 +449,7 @@ bbslua(const char *fpath)
 		move(b_lines-3, 0); clrtobot();
 		outs("\n");
 		outs(errmsg);
-		vmsg("BBS-Lua 錯誤: 請修正程式碼。");
+		vmsg("BBS-Lua 錯誤: 請通知作者修正程式碼。");
 		lua_close(L);
 		return 0;
 	}
diff --git a/mbbsd/pfterm.c b/mbbsd/pfterm.c
index 9c988ea2..11a4d66c 100644
--- a/mbbsd/pfterm.c
+++ b/mbbsd/pfterm.c
@@ -1068,6 +1068,10 @@ outstr(const char *str)
 void
 outc(unsigned char c)
 {
+	// 0xFF is invalid for most cases (even DBCS), 
+	if (c == 0xFF || c == 0x00)
+		return;
+
 	fterm_markdirty();
 	if (ft.szcmd)
 	{
@@ -1392,6 +1396,8 @@ fterm_exec(void)
 
 	case 'G':	// CHA: CSI n G
 		// Moves the cursor to column n.
+		if (n < 1)
+			n = 1;
 		getyx(&y, &x);
 		move(y, n-1);
 		break;
diff --git a/mbbsd/screen.c b/mbbsd/screen.c
index 88696f8a..ffd5029b 100644
--- a/mbbsd/screen.c
+++ b/mbbsd/screen.c
@@ -53,8 +53,12 @@ resizeterm(int w, int h)
 void
 move(int y, int x)
 {
-    assert(y>=0);
-    assert(x>=0);
+    if (y < 0) y = 0;
+    if (y >= t_lines) y = t_lines -1;
+    if (x < 0) x = 0;
+    if (x >= ANSILINELEN) x = ANSILINELEN -1;
+    // assert(y>=0);
+    // assert(x>=0);
     cur_col = x;
     cur_ln = y;
 }
@@ -64,6 +68,11 @@ move_ansi(int y, int x)
 {
     // take ANSI length in consideration
     register screenline_t *slp;
+    if (y < 0) y = 0;
+    if (y >= t_lines) y = t_lines -1;
+    if (x < 0) x = 0;
+    if (x >= ANSILINELEN) x = ANSILINELEN -1;
+
     cur_ln = y;
     cur_col = x;
 
@@ -385,6 +394,10 @@ outc(unsigned char c)
     register screenline_t *slp = GetCurrentLine();
     register int    i;
 
+    // 0xFF is invalid for most cases (even DBCS), 
+    if (c == 0xFF || c == 0x00)
+	return;
+
     if (c == '\n' || c == '\r') {
 	if (standing) {
 	    slp->eso = MAX(slp->eso, cur_col);
-- 
cgit v1.2.3