From 9fad479e6d08de5f05737ad46d1a7e98597f7188 Mon Sep 17 00:00:00 2001
From: piaip <piaip@63ad8ddf-47c3-0310-b6dd-a9e9d9715204>
Date: Sun, 2 Dec 2007 09:56:01 +0000
Subject: - brcV3: fixed v2 conversion error (v2 may truncate board
 information)

git-svn-id: http://opensvn.csie.org/pttbbs/trunk/pttbbs@3612 63ad8ddf-47c3-0310-b6dd-a9e9d9715204
---
 mbbsd/brc.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/mbbsd/brc.c b/mbbsd/brc.c
index 74346a5c..6b78f205 100644
--- a/mbbsd/brc.c
+++ b/mbbsd/brc.c
@@ -279,6 +279,7 @@ read_brc2(void)
     sz3 = sz2 * 2; // max double size
 
     cvthead = cvt = malloc (sz3);
+    memset(cvthead, 0, sz3);
     // now calculate real sz3
 
     while (read(fd, &bid2, sizeof(bid2)) > 0)
@@ -289,14 +290,24 @@ read_brc2(void)
 	bid = bid2;
 	num = num2;
 
+	// some brc v2 contains bad structure.
+	// check pointer here.
+	if (cvt + sizeof(brcbid_t) + sizeof(brcnbrd_t) - cvthead >= sz3)
+	    break;
+
 	*(brcbid_t*) cvt = bid; cvt += sizeof(brcbid_t);
 	*(brcnbrd_t*)cvt = num; cvt += sizeof(brcnbrd_t);
 
-	for (; num > 0; num--)
+	// some brc v2 contains bad structure.
+	// check pointer here.
+	for (; num > 0 && (cvt + sizeof(brc_rec) - cvthead) <= sz3 ; num--)
 	{
-	    read(fd, &create, sizeof(create));
+	    if (read(fd, &create, sizeof(create)) < 1)
+		break;
+
 	    rec.create = create;
 	    rec.modified = create;
+
 	    *(brc_rec*)cvt = rec; cvt += sizeof(brc_rec);
 	}
     }
-- 
cgit v1.2.3