From 4e8a2c25129260c61df345f15715d75c715cb92c Mon Sep 17 00:00:00 2001
From: kcwu <kcwu@63ad8ddf-47c3-0310-b6dd-a9e9d9715204>
Date: Sat, 8 Apr 2006 14:58:06 +0000
Subject: add a lot of assertions to ensure bid is in correct range when access
 via bid.

git-svn-id: http://opensvn.csie.org/pttbbs/trunk/pttbbs@3341 63ad8ddf-47c3-0310-b6dd-a9e9d9715204
---
 mbbsd/admin.c     |  8 ++++++
 mbbsd/bbs.c       | 52 +++++++++++++++++++++++++++++++++++--
 mbbsd/board.c     | 77 ++++++++++++++++++++++++++++++++++++++++++++-----------
 mbbsd/brc.c       |  1 +
 mbbsd/cache.c     | 11 ++++++++
 mbbsd/fav.c       |  4 +++
 mbbsd/friend.c    |  2 ++
 mbbsd/io.c        |  7 +++++
 mbbsd/mail.c      |  1 +
 mbbsd/menu.c      |  1 +
 mbbsd/stuff.c     | 10 ++++++++
 mbbsd/vote.c      |  4 +++
 mbbsd/voteboard.c |  1 +
 13 files changed, 162 insertions(+), 17 deletions(-)

(limited to 'mbbsd')

diff --git a/mbbsd/admin.c b/mbbsd/admin.c
index d4336052..c75c8ef0 100644
--- a/mbbsd/admin.c
+++ b/mbbsd/admin.c
@@ -339,6 +339,7 @@ setup_man(const boardheader_t * board, const boardheader_t * oldboard)
 
 void delete_symbolic_link(boardheader_t *bh, int bid)
 {
+    assert(0<=bid-1 && bid-1<MAX_BOARD);
     memset(bh, 0, sizeof(boardheader_t));
     substitute_record(fn_board, bh, sizeof(boardheader_t), bid);
     reset_board(bid);
@@ -417,6 +418,7 @@ m_mod_board(char *bname)
 	vmsg(err_bid);
 	return -1;
     }
+    assert(0<=bid-1 && bid-1<MAX_BOARD);
     prints("看板名稱：%s\n看板說明：%s\n看板bid：%d\n看板GID：%d\n"
 	   "板主名單：%s", bh.brdname, bh.title, bid, bh.gid, bh.BM);
     bperm_msg(&bh);
@@ -482,6 +484,7 @@ m_mod_board(char *bname)
 	    prints("看板 %s 原來的 BVote：%d", bh.brdname, bh.bvote);
 	    getdata_str(21, 0, "新的 Bvote：", genbuf, 5, LCECHO, bvotebuf);
 	    newbh.bvote = atoi(genbuf);
+	    assert(0<=bid-1 && bid-1<MAX_BOARD);
 	    substitute_record(fn_board, &newbh, sizeof(newbh), bid);
 	    reset_board(bid);
 	    log_usies("SetBoardBvote", newbh.brdname);
@@ -498,6 +501,7 @@ m_mod_board(char *bname)
 		newbh.brdattr = newbh.brdattr & (!BRD_BAD);
 	    else
 		newbh.brdattr = newbh.brdattr | BRD_BAD;
+	    assert(0<=bid-1 && bid-1<MAX_BOARD);
 	    substitute_record(fn_board, &newbh, sizeof(newbh), bid);
 	    reset_board(bid);
 	    log_usies("ViolateLawSet", newbh.brdname);
@@ -525,6 +529,7 @@ m_mod_board(char *bname)
 	    snprintf(bh.title, sizeof(bh.title),
 		     "     %s 看板 %s 刪除", bname, cuser.userid);
 	    post_msg("Security", bh.title, "請注意刪除的合法性", "[系統安全局]");
+	    assert(0<=bid-1 && bid-1<MAX_BOARD);
 	    substitute_record(fn_board, &bh, sizeof(bh), bid);
 	    reset_board(bid);
             sort_bcache(); 
@@ -637,6 +642,7 @@ m_mod_board(char *bname)
 		Rename(src, tar);
 	    }
 	    setup_man(&newbh, &bh);
+	    assert(0<=bid-1 && bid-1<MAX_BOARD);
 	    substitute_record(fn_board, &newbh, sizeof(newbh), bid);
 	    reset_board(bid);
             sort_bcache(); 
@@ -815,6 +821,7 @@ static int add_board_record(const boardheader_t *board)
 {
     int bid;
     if ((bid = getbnum("")) > 0) {
+	assert(0<=bid-1 && bid-1<MAX_BOARD);
 	substitute_record(fn_board, board, sizeof(boardheader_t), bid);
 	reset_board(bid);
         sort_bcache(); 
@@ -952,6 +959,7 @@ int make_symbolic_link(const char *bname, int gid)
     
     bid = getbnum(bname);
     if(bid==0) return -1;
+    assert(0<=bid-1 && bid-1<MAX_BOARD);
     memset(&newboard, 0, sizeof(newboard));
 
     /*
diff --git a/mbbsd/bbs.c b/mbbsd/bbs.c
index 0f6141f9..02eb00e7 100644
--- a/mbbsd/bbs.c
+++ b/mbbsd/bbs.c
@@ -147,6 +147,7 @@ set_board(void)
 {
     boardheader_t  *bp;
 
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     bp = getbcache(currbid);
     if( !HasBoardPerm(bp) ){
 	vmsg("access control violation, exit");
@@ -223,6 +224,7 @@ CheckPostPerm(void)
 	    last_board_index = getbnum(currboard);
 	    valid_index = 1;
 	}
+	assert(0<=last_board_index-1 && last_board_index-1<MAX_BOARD);
 	bp = getbcache(last_board_index);
 
 	if(bp->perm_reload != last_chk_time)
@@ -234,6 +236,7 @@ CheckPostPerm(void)
 	if(!valid_index)
 	{
 	    last_board_index = getbnum(currboard);
+	    assert(0<=last_board_index-1 && last_board_index-1<MAX_BOARD);
 	    bp = getbcache(last_board_index);
 	}
 	last_chk_time = bp->perm_reload;
@@ -257,6 +260,7 @@ readtitle(void)
     boardheader_t  *bp;
     char    *brd_title;
 
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     bp = getbcache(currbid);
     if(bp->bvote != 2 && bp->bvote)
 	brd_title = "本看板進行投票中";
@@ -276,6 +280,7 @@ readtitle(void)
 #endif
     {
 	char buf[32];
+	assert(0<=currbid-1 && currbid-1<MAX_BOARD);
 	sprintf(buf, "人氣:%d ",
 	   SHM->bcache[currbid - 1].nuser);
 	outslr("", 44, buf, -1);
@@ -441,6 +446,7 @@ do_select(void)
     CompleteBoard(MSG_SELECT_BOARD, bname);
     if (bname[0] == '\0' || !(i = getbnum(bname)))
 	return FULLUPDATE;
+    assert(0<=i-1 && i-1<MAX_BOARD);
     bh = getbcache(i);
     if (!HasBoardPerm(bh))
 	return FULLUPDATE;
@@ -598,6 +604,7 @@ do_crosspost(const char *brd, fileheader_t *postfile, const char *fpath)
     setbdir(genbuf, brd);
     if (append_record(genbuf, &fh, sizeof(fileheader_t)) != -1) {
 	int bid = getbnum(brd);
+	assert(0<=bid-1 && bid-1<MAX_BOARD);
 	SHM->lastposttime[bid - 1] = now;
 	touchbpostnum(bid, 1);
     }
@@ -675,6 +682,7 @@ do_general(int isbid)
     int             islocal, posttype=-1;
 
     ifuseanony = 0;
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     bp = getbcache(currbid);
 
     if( !CheckPostPerm()
@@ -933,6 +941,7 @@ do_post(void)
 {
     boardheader_t  *bp;
     STATINC(STAT_DOPOST);
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     bp = getbcache(currbid);
     if (bp->brdattr & BRD_VOTEBOARD)
 	return do_voteboard(0);
@@ -953,6 +962,7 @@ do_post_openbid(void)
     char ans[4];
     boardheader_t  *bp;
 
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     bp = getbcache(currbid);
     if (!(bp->brdattr & BRD_VOTEBOARD))
     {
@@ -972,6 +982,7 @@ do_generalboardreply(/*const*/ fileheader_t * fhdr)
 {
     char            genbuf[3];
     
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     if ( !((currmode & MODE_BOARD) || HasUserPerm(PERM_SYSOP)) &&
 	    (cuser.firstlogin > (now - (time4_t)bcache[currbid - 1].post_limit_regtime * 2592000) ||
 	    cuser.numlogins < ((unsigned int)(bcache[currbid - 1].post_limit_logins) * 10) ||
@@ -1046,6 +1057,7 @@ b_posttype(int ent, const fileheader_t * fhdr, const char *direct)
 
    if(!(currmode & MODE_BOARD)) return DONOTHING;
    
+   assert(0<=currbid-1 && currbid-1<MAX_BOARD);
    bp = getbcache(currbid);
 
    move(2,0);
@@ -1082,6 +1094,7 @@ b_posttype(int ent, const fileheader_t * fhdr, const char *direct)
    bp->posttype_f = posttype_f; 
    strlcpy(bp->posttype, posttype, sizeof(bp->posttype)); /* 這邊應該要防race condition */
 
+   assert(0<=currbid-1 && currbid-1<MAX_BOARD);
    substitute_record(fn_board, bp, sizeof(boardheader_t), currbid);
    return FULLUPDATE;
 }
@@ -1102,6 +1115,7 @@ do_reply(/*const*/ fileheader_t * fhdr)
           return FULLUPDATE;
      }
 
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     bp = getbcache(currbid);
     setbfile(quote_file, bp->brdname, fhdr->filename);
     if (bp->brdattr & BRD_VOTEBOARD || (fhdr->filemode & FILE_VOTE))
@@ -1128,6 +1142,7 @@ edit_post(int ent, fileheader_t * fhdr, const char *direct)
     struct stat     oldstat, newstat;
     int		    isSysop = 0, recordTouched = 0;
 
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     if (strcmp(bp->brdname, "Security") == 0)
 	return DONOTHING;
 
@@ -1292,6 +1307,7 @@ cross_post(int ent, fileheader_t * fhdr, const char *direct)
     move(2, 0);
     clrtoeol();
     move(1, 0);
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     bp = getbcache(currbid);
     if (bp && (bp->brdattr & BRD_VOTEBOARD) )
 	return FULLUPDATE;
@@ -1309,6 +1325,7 @@ cross_post(int ent, fileheader_t * fhdr, const char *direct)
     /* 借用變數 */
     ent = str_checksum(fhdr->title);
     author = getbnum(xboard);
+    assert(0<=author-1 && author-1<MAX_BOARD);
 
     if ((ent != 0 && ent == postrecord.checksum[0]) &&
 	(author != 0 && author != postrecord.last_bid)) {
@@ -1404,8 +1421,10 @@ cross_post(int ent, fileheader_t * fhdr, const char *direct)
 	    char bname[STRLEN] = "";
 	    struct tm *ptime = localtime4(&now);
 	    int maxlength = 51 +2 - 6;
+	    int bid = getbnum(xboard);
 
-	    bp = getbcache(getbnum(xboard));
+	    assert(0<=bid-1 && bid-1<MAX_BOARD);
+	    bp = getbcache(bid);
 	    if ((bp->brdattr & BRD_HIDE) && (bp->brdattr & BRD_POSTMASK)) 
 	    {
 		/* mosaic it */
@@ -1446,8 +1465,12 @@ cross_post(int ent, fileheader_t * fhdr, const char *direct)
 	    do_add_recommend(direct, fhdr,  ent, buf, 2);
 	} else
 #endif
+	{
+	    int bid = getbnum(xboard);
+	    assert(0<=bid-1 && bid-1<MAX_BOARD);
 	/* now point bp to new bord */
-	bp = getbcache(getbnum(xboard));
+	bp = getbcache(bid);
+	}
 
 	/*
 	 * Cross fs有問題 } else { unlink(xfpath); link(fname, xfpath); }
@@ -1528,6 +1551,7 @@ do_limitedit(int ent, fileheader_t * fhdr, const char *direct)
     int             temp;
     boardheader_t  *bp = getbcache(currbid);
 
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     if (!((currmode & MODE_BOARD) || HasUserPerm(PERM_SYSOP)))
 	return DONOTHING;
     
@@ -1561,6 +1585,7 @@ do_limitedit(int ent, fileheader_t * fhdr, const char *direct)
 	    temp = atoi(genbuf);
 	} while (temp < 0 || temp > 2550);
 	bp->post_limit_posts = (unsigned char)(temp / 10);
+	assert(0<=currbid-1 && currbid-1<MAX_BOARD);
 	substitute_record(fn_board, bp, sizeof(boardheader_t), currbid);
 	log_usies("SetBoard", bp->brdname);
 	vmsg("修改完成！");
@@ -1587,6 +1612,7 @@ do_limitedit(int ent, fileheader_t * fhdr, const char *direct)
 	    temp = atoi(genbuf);
 	} while (temp < 0 || temp > 2550);
 	bp->vote_limit_posts = (unsigned char)(temp / 10);
+	assert(0<=currbid-1 && currbid-1<MAX_BOARD);
 	substitute_record(fn_board, bp, sizeof(boardheader_t), currbid);
 	log_usies("SetBoard", bp->brdname);
 	vmsg("修改完成！");
@@ -1650,6 +1676,7 @@ stop_gamble(void)
 {
     boardheader_t  *bp = getbcache(currbid);
     char            fn_ticket[128], fn_ticket_end[128];
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     if (!bp->endgamble || bp->endgamble > now)
 	return 0;
 
@@ -1659,6 +1686,7 @@ stop_gamble(void)
     rename(fn_ticket, fn_ticket_end);
     if (bp->endgamble) {
 	bp->endgamble = 0;
+	assert(0<=currbid-1 && currbid-1<MAX_BOARD);
 	substitute_record(fn_board, bp, sizeof(boardheader_t), currbid);
     }
     return 1;
@@ -1672,6 +1700,7 @@ join_gamble(int ent, const fileheader_t * fhdr, const char *direct)
 	vmsg("目前未舉辦賭盤或賭盤已開獎");
 	return DONOTHING;
     }
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     ticket(currbid);
     return FULLUPDATE;
 }
@@ -1685,6 +1714,7 @@ hold_gamble(void)
     int             i;
     FILE           *fp = NULL;
 
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     if (!(currmode & MODE_BOARD))
 	return 0;
     if (bp->brdattr & BRD_BAD )
@@ -1705,6 +1735,7 @@ hold_gamble(void)
 	rename(fn_ticket, fn_ticket_end);
 	if (bp->endgamble) {
 	    bp->endgamble = 0;
+	    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
 	    substitute_record(fn_board, bp, sizeof(boardheader_t), currbid);
 
 	}
@@ -1750,6 +1781,7 @@ hold_gamble(void)
     fprintf(fp, "%d\n", i);
     if (!getdata(3, 0, "設定自動封盤時間?(Y/n)", yn, 3, LCECHO) || yn[0] != 'n') {
 	bp->endgamble = gettime(4, now, "封盤於");
+	assert(0<=currbid-1 && currbid-1<MAX_BOARD);
 	substitute_record(fn_board, bp, sizeof(boardheader_t), currbid);
     }
     move(6, 0);
@@ -2111,6 +2143,7 @@ recommend(int ent, fileheader_t * fhdr, const char *direct)
     int isGuest = (strcmp(cuser.userid, STR_GUEST) == EQUSTR);
     int logIP = 0;
 
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     bp = getbcache(currbid);
     if (bp->brdattr & BRD_NORECOMMEND || 
         ((fhdr->filemode & FILE_MARKED) && (fhdr->filemode & FILE_SOLVED))) {
@@ -2298,6 +2331,7 @@ recommend(int ent, fileheader_t * fhdr, const char *direct)
 	inc_goodpost(fhdr->owner, 1);
 #endif
     lastrecommend = now;
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     lastrecommend_bid = currbid;
     strlcpy(lastrecommend_fname, fhdr->filename, sizeof(lastrecommend_fname));
     return FULLUPDATE;
@@ -2344,6 +2378,7 @@ del_range(int ent, const fileheader_t *fhdr, const char *direct)
 
     /* 有三種情況會進這裡, 信件, 看板, 精華區 */
     if( !(direct[0] == 'h') ){ /* 信件不用 check */
+	assert(0<=currbid-1 && currbid-1<MAX_BOARD);
         bp = getbcache(currbid);
 	if (strcmp(bp->brdname, "Security") == 0)
 	    return DONOTHING;
@@ -2401,6 +2436,7 @@ del_post(int ent, fileheader_t * fhdr, char *direct)
     int             not_owned, tusernum;
     boardheader_t  *bp;
 
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     bp = getbcache(currbid);
 
     /* TODO recursive lookup */
@@ -2647,6 +2683,7 @@ b_note_edit_bname(int bid)
     char            buf[PATHLEN];
     int             aborted;
     boardheader_t  *fh = getbcache(bid);
+    assert(0<=bid-1 && bid-1<MAX_BOARD);
     setbfile(buf, fh->brdname, fn_notes);
     aborted = vedit(buf, NA, NULL);
     if (aborted == -1) {
@@ -2660,6 +2697,7 @@ b_note_edit_bname(int bid)
 		      "有效日期至");
 	else
 	    fh->bupdate = 0;
+	assert(0<=bid-1 && bid-1<MAX_BOARD);
 	substitute_record(fn_board, fh, sizeof(boardheader_t), bid);
     }
     return 0;
@@ -2669,6 +2707,7 @@ static int
 b_notes_edit(void)
 {
     if (currmode & MODE_BOARD) {
+	assert(0<=currbid-1 && currbid-1<MAX_BOARD);
 	b_note_edit_bname(currbid);
 	return FULLUPDATE;
     }
@@ -2690,6 +2729,7 @@ visable_list_edit(void)
 {
     if (currmode & MODE_BOARD) {
 	friend_edit(BOARD_VISABLE);
+	assert(0<=currbid-1 && currbid-1<MAX_BOARD);
 	hbflreload(currbid);
 	return FULLUPDATE;
     }
@@ -2746,6 +2786,7 @@ bh_title_edit(void)
     if (currmode & MODE_BOARD) {
 	char            genbuf[BTLEN];
 
+	assert(0<=currbid-1 && currbid-1<MAX_BOARD);
 	bp = getbcache(currbid);
 	move(1, 0);
 	clrtoeol();
@@ -2756,6 +2797,7 @@ bh_title_edit(void)
 	    return 0;
 	strip_ansi(genbuf, genbuf, STRIP_ALL);
 	strlcpy(bp->title + 7, genbuf, sizeof(bp->title) - 7);
+	assert(0<=currbid-1 && currbid-1<MAX_BOARD);
 	substitute_record(fn_board, bp, sizeof(boardheader_t), currbid);
 	log_usies("SetBoard", currboard);
 	return FULLUPDATE;
@@ -2845,6 +2887,7 @@ push_bottom(int ent, fileheader_t *fhdr, const char *direct)
 	fhdr->filemode ^= FILE_BOTTOM;
 	num = delete_record(direct, sizeof(fileheader_t), ent);
     }
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     setbottomtotal(currbid);
     return DIRCHANGED;
 }
@@ -2896,6 +2939,7 @@ good_post(int ent, fileheader_t * fhdr, const char *direct)
 	append_record(buf, &digest, sizeof(digest));
 
 #ifdef GLOBAL_DIGEST
+	assert(0<=currbid-1 && currbid-1<MAX_BOARD);
 	if(!(getbcache(currbid)->brdattr & BRD_HIDE)) { 
           getdata(1, 0, "好文值得出版到全站文摘?(N/y)", genbuf2, 3, LCECHO);
           if(genbuf2[0] == 'y')
@@ -3112,6 +3156,7 @@ b_config(void)
     }
     if(touched)
     {
+	assert(0<=currbid-1 && currbid-1<MAX_BOARD);
 	substitute_record(fn_board, bp, sizeof(boardheader_t), currbid);
 	vmsg("已儲存新設定");
     }
@@ -3150,6 +3195,7 @@ change_hidden(void)
 	outs("君心今已掩抑，惟盼善自珍重。\n");
 	board_hidden_status = 1;
     }
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     substitute_record(fn_board, bp, sizeof(boardheader_t), currbid);
     log_usies("SetBoard", bp->brdname);
     pressanykey();
@@ -3179,6 +3225,7 @@ change_counting(void)
 	bp->brdattr |= BRD_BMCOUNT;
 	outs("快灌水衝十大第一吧。\n");
     }
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     substitute_record(fn_board, bp, sizeof(boardheader_t), currbid);
     pressanykey();
     return FULLUPDATE;
@@ -3306,6 +3353,7 @@ change_cooldown(void)
 	bp->brdattr |= BRD_COOLDOWN;
 	outs("開始冷靜。\n");
     }
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     substitute_record(fn_board, bp, sizeof(boardheader_t), currbid);
     pressanykey();
     return FULLUPDATE;
diff --git a/mbbsd/board.c b/mbbsd/board.c
index 2d261d5c..3407f0a4 100644
--- a/mbbsd/board.c
+++ b/mbbsd/board.c
@@ -37,6 +37,7 @@ typedef struct {
 #define IN_CLASS()	(class_bid > 0)
 static int      class_bid = 0;
 
+static int nbrdsize = 0;
 static boardstat_t *nbrd = NULL;
 static char	choose_board_depth = 0;
 static short    brdnum;
@@ -168,7 +169,10 @@ load_uidofgid(const int gid, const int type)
 {
     boardheader_t  *bptr, *currbptr, *parent;
     int             bid, n, childcount = 0;
+    assert(0<=type && type<2);
+    assert(0<= gid-1 && gid-1<MAX_BOARD);
     currbptr = parent = &bcache[gid - 1];
+    assert(0<=numboards && numboards<=MAX_BOARD);
     for (n = 0; n < numboards; ++n) {
 	bid = SHM->bsorted[type][n]+1;
 	if( bid<=0 || !(bptr = getbcache(bid)) 
@@ -197,6 +201,8 @@ addnewbrdstat(int n, int state)
 {
     boardstat_t    *ptr;
 
+    assert(0<=n && n<MAX_BOARD);
+    assert(0<=brdnum && brdnum<nbrdsize);
     ptr = &nbrd[brdnum++];
     //boardheader_t  *bptr = &bcache[n];
     //ptr->total = &(SHM->total[n]);
@@ -248,6 +254,7 @@ load_boards(char *key)
     brdnum = 0;
     if (nbrd) {
         free(nbrd);
+	nbrdsize = 0;
 	nbrd = NULL;
     }
     if (!IN_CLASS()) {
@@ -255,9 +262,11 @@ load_boards(char *key)
 	    fav_t   *fav = get_current_fav();
 	    int     nfav = get_data_number(fav);
 	    if( nfav == 0 ){
+		nbrdsize = 1;
 		nbrd = (boardstat_t *)malloc(sizeof(boardstat_t) * 1);
 		goto EMPTYFAV;
 	    }
+	    nbrdsize = nfav;
 	    nbrd = (boardstat_t *)malloc(sizeof(boardstat_t) * nfav);
             for( i = 0 ; i < fav->DataTail; ++i ){
 		int state;
@@ -287,6 +296,7 @@ load_boards(char *key)
 			    continue;
 		    }else{
 			boardheader_t *bptr = getbcache(fav_getid(&fav->favh[i]));
+			assert(0<=fav_getid(&fav->favh[i])-1 && fav_getid(&fav->favh[i])-1<MAX_BOARD);
 			if( HasBoardPerm(bptr) && strcasestr(bptr->title, key))
 			    state = NBRD_BOARD;
 			else
@@ -308,8 +318,10 @@ load_boards(char *key)
 	}
 #if HOTBOARDCACHE
 	else if(IN_HOTBOARD()){
-	    nbrd = (boardstat_t *)malloc(sizeof(boardstat_t) * SHM->nHOTs);
-	    for( i = 0 ; i < SHM->nHOTs ; ++i ) {
+	    nbrdsize = SHM->nHOTs;
+	    assert(0<nbrdsize);
+	    nbrd = (boardstat_t *)malloc(sizeof(boardstat_t) * nbrdsize);
+	    for( i = 0 ; i < nbrdsize; ++i ) {
 		if(SHM->HBcache[i] == -1)
 		    continue;
 		addnewbrdstat(SHM->HBcache[i], HasBoardPerm(&bcache[SHM->HBcache[i]]));
@@ -317,8 +329,10 @@ load_boards(char *key)
 	}
 #endif
 	else { // general case
-	    nbrd = (boardstat_t *) malloc(sizeof(boardstat_t) * numboards);
-	    for (i = 0; i < numboards; i++) {
+	    nbrdsize = numboards;
+	    assert(0<nbrdsize && nbrdsize<=MAX_BOARD);
+	    nbrd = (boardstat_t *) malloc(sizeof(boardstat_t) * nbrdsize);
+	    for (i = 0; i < nbrdsize; i++) {
 		int n = SHM->bsorted[type][i];
 		boardheader_t *bptr = &bcache[n];
 		if (n < 0 || bptr == NULL)
@@ -344,15 +358,18 @@ load_boards(char *key)
 	int childcount; 
 	int bid;
 
+	assert(0<=class_bid-1 && class_bid-1<MAX_BOARD);
 	if (bptr->firstchild[type] == 0 || bptr->childcount==0)
 	    load_uidofgid(class_bid, type);
 
         childcount = bptr->childcount;  // Ptt: child count after load_uidofgid
 
-	nbrd = (boardstat_t *) malloc((childcount+2) * sizeof(boardstat_t));
+	nbrdsize = childcount + 5;
+	nbrd = (boardstat_t *) malloc((childcount+5) * sizeof(boardstat_t));
         // 預留兩個以免大量開板時掛調
 	for (bid = bptr->firstchild[type]; bid > 0 && 
-		brdnum < childcount+2; bid = bptr->next[type]) {
+		brdnum < childcount+5; bid = bptr->next[type]) {
+	    assert(0<=bid-1 && bid-1<MAX_BOARD);
             bptr = getbcache(bid);
 	    state = HasBoardPerm(bptr);
 	    if ( !(state || GROUPOP()) || TITLE_MATCH(bptr, key) )
@@ -366,10 +383,14 @@ load_boards(char *key)
 		else
 		    bid = BRD_LINK_TARGET(bptr);
 	    }
+	    assert(0<=bid-1 && bid-1<MAX_BOARD);
 	    addnewbrdstat(bid-1, state);
 	}
-        if(childcount < brdnum) //Ptt: dirty fix fix soon 
-                getbcache(class_bid)->childcount = 0;
+        if(childcount < brdnum) {
+	    //Ptt: dirty fix fix soon 
+	    fprintf(stderr, "childcount < brdnum, %d<%d, class_bid=%d\n",childcount,brdnum,class_bid);
+	    getbcache(class_bid)->childcount = 0;
+	}
            
                  
     }
@@ -383,6 +404,7 @@ search_board(void)
     move(0, 0);
     clrtoeol();
     CreateNameList();
+    assert(brdnum<=nbrdsize);
     for (num = 0; num < brdnum; num++)
 	if (!IS_LISTING_FAV() ||
 	    (nbrd[num].myattr & NBRD_BOARD && HasBoardPerm(B_BH(&nbrd[num]))) )
@@ -538,6 +560,7 @@ show_brdlist(int head, int clsflag, int newflag)
 	    move(myrow, 0);
 	    clrtoeol();
 	    if (head < brdnum) {
+		assert(0<=head && head<nbrdsize);
 		ptr = &nbrd[head++];
 		if (ptr->myattr & NBRD_LINE){
 		    if( !newflag )
@@ -646,6 +669,7 @@ set_menu_BM(char *BM)
 
 static void replace_link_by_target(boardstat_t *board)
 {
+    assert(0<=board->bid-1 && board->bid-1<MAX_BOARD);
     board->bid = BRD_LINK_TARGET(getbcache(board->bid));
     board->myattr &= ~NBRD_SYMBOLIC;
 }
@@ -661,12 +685,14 @@ paste_taged_brds(int gid)
     for (tmp = 0; tmp < fav->DataTail; tmp++) {
 	    boardheader_t  *bh;
 	    bid = fav_getid(&fav->favh[tmp]);
+	    assert(0<=bid-1 && bid-1<MAX_BOARD);
 	    bh = getbcache(bid);
 	    if( !is_set_attr(&fav->favh[tmp], FAVH_ADM_TAG))
 		continue;
 	    set_attr(&fav->favh[tmp], FAVH_ADM_TAG, FALSE);
 	    if (bh->gid != gid) {
 		bh->gid = gid;
+		assert(0<=bid-1 && bid-1<MAX_BOARD);
 		substitute_record(FN_BOARD, bh,
 				  sizeof(boardheader_t), bid);
 		reset_board(bid);
@@ -730,6 +756,7 @@ choose_board(int newflag)
 	if (head < 0) {
 	    if (newflag) {
 		tmp = num;
+		assert(brdnum<=nbrdsize);
 		while (num < brdnum) {
 		    ptr = &nbrd[num];
 		    if (ptr->myattr & NBRD_UNREAD)
@@ -803,10 +830,12 @@ choose_board(int newflag)
 	case '*':
 	    {
 		int i = 0;
+		assert(brdnum<=nbrdsize);
 		for (i = 0; i < brdnum; i++)
 		{
 		    ptr = &nbrd[i];
 		    if (IS_LISTING_FAV()){
+			assert(nbrdsize>0);
 			if(get_fav_type(&nbrd[0]) != 0)
 			    fav_tag(ptr->bid, get_fav_type(ptr), 2);
 		    }
@@ -816,8 +845,10 @@ choose_board(int newflag)
 	    }
 	    break;
 	case 't':
+	    assert(0<=num && num<nbrdsize);
 	    ptr = &nbrd[num];
 	    if (IS_LISTING_FAV()){
+		assert(nbrdsize>0);
 		if(get_fav_type(&nbrd[0]) != 0)
 		    fav_tag(ptr->bid, get_fav_type(ptr), 2);
 	    }
@@ -895,6 +926,7 @@ choose_board(int newflag)
 	case 'D':
 	    if (HasUserPerm(PERM_SYSOP) ||
 		    (HasUserPerm(PERM_SYSSUPERSUBOP) &&	GROUPOP())) {
+		assert(0<=num && num<nbrdsize);
 		ptr = &nbrd[num];
 		if (ptr->myattr & NBRD_SYMBOLIC) {
 		    if (getans("確定刪除連結？[N/y]") == 'y')
@@ -941,6 +973,7 @@ choose_board(int newflag)
 		    break;
 		}
 		/* done move if it's the first item. */
+		assert(nbrdsize>0);
 		if (get_fav_type(&nbrd[0]) != 0)
 		    move_in_current_folder(brdnum, num);
 		brdnum = -1;
@@ -958,6 +991,7 @@ choose_board(int newflag)
 	case 'z':
 	case 'm':
 	    if (HasUserPerm(PERM_LOGINOK)) {
+		assert(0<=num && num<nbrdsize);
 		ptr = &nbrd[num];
 		if (IS_LISTING_FAV()) {
 		    if (ptr->myattr & NBRD_FAV) {
@@ -1005,6 +1039,7 @@ choose_board(int newflag)
 		}
 		fav_set_folder_title(ft, "新的目錄");
 		/* don't move if it's the first item */
+		assert(nbrdsize>0);
 		if (get_fav_type(&nbrd[0]) != 0)
 		    move_in_current_folder(brdnum, num);
 		brdnum = -1;
@@ -1012,6 +1047,7 @@ choose_board(int newflag)
 	    }
 	    break;
 	case 'T':
+	    assert(0<=num && num<nbrdsize);
 	    if (HasUserPerm(PERM_LOGINOK) && nbrd[num].myattr & NBRD_FOLDER) {
 		fav_type_t *ft = getfolder(nbrd[num].bid);
 		strlcpy(buf, get_item_title(ft), sizeof(buf));
@@ -1083,6 +1119,7 @@ choose_board(int newflag)
 
 	case 'v':
 	case 'V':
+	    assert(0<=num && num<nbrdsize);
 	    ptr = &nbrd[num];
 	    if(nbrd[num].bid < 0 || !HasBoardPerm(B_BH(ptr)))
 		break;
@@ -1105,6 +1142,7 @@ choose_board(int newflag)
 	    break;
 	case 'E':
 	    if (HasUserPerm(PERM_SYSOP | PERM_BOARD) || GROUPOP()) {
+		assert(0<=num && num<nbrdsize);
 		ptr = &nbrd[num];
 		move(1, 1);
 		clrtobot();
@@ -1151,7 +1189,8 @@ choose_board(int newflag)
 		    fav_type_t * ptr = getboard(bid);
 		    if (ptr != NULL) { // already in fav list
 			// move curser to item
-			for (num = 0; bid != nbrd[num].bid; ++num);
+			for (num = 0; num<nbrdsize && bid != nbrd[num].bid; ++num);
+			assert(bid==nbrd[num].bid);
 		    } else {
 			ptr = fav_add_board(bid);
 
@@ -1187,13 +1226,15 @@ choose_board(int newflag)
 	case '\r':
 	case 'r':
 	    {
-		ptr = &nbrd[num];
 		if (IS_LISTING_FAV()) {
+		    assert(nbrdsize>0);
 		    if (get_fav_type(&nbrd[0]) == 0)
 			break;
-		    else if (ptr->myattr & NBRD_LINE)
+		    assert(0<=num && num<nbrdsize);
+		    ptr = &nbrd[num];
+		    if (ptr->myattr & NBRD_LINE)
 			break;
-		    else if (ptr->myattr & NBRD_FOLDER){
+		    if (ptr->myattr & NBRD_FOLDER){
 			int t = num;
 			num = 0;
 			fav_folder_in(ptr->bid);
@@ -1204,11 +1245,15 @@ choose_board(int newflag)
 			head = 9999;
 			break;
 		    }
-		}
-		else if (ptr->myattr & NBRD_SYMBOLIC) {
-		    replace_link_by_target(ptr);
+		} else {
+		    assert(0<=num && num<nbrdsize);
+		    ptr = &nbrd[num];
+		    if (ptr->myattr & NBRD_SYMBOLIC) {
+			replace_link_by_target(ptr);
+		    }
 		}
 
+		assert(0<=ptr->bid-1 && ptr->bid-1<MAX_BOARD);
 		if (!(B_BH(ptr)->brdattr & BRD_GROUPBOARD)) {	/* 非sub class */
 		    if (HasBoardPerm(B_BH(ptr))) {
 			brc_initial_board(B_BH(ptr)->brdname);
@@ -1250,6 +1295,7 @@ choose_board(int newflag)
 		    setutmpbid(ptr->bid);
 		    free(nbrd);
 		    nbrd = NULL;
+		    nbrdsize = 0;
 	    	    if (IS_LISTING_FAV()) {
 			LIST_BRD();
 			choose_board(0);
@@ -1268,6 +1314,7 @@ choose_board(int newflag)
     } while (ch != 'q');
     free(nbrd);
     nbrd = NULL;
+    nbrdsize = 0;
     --choose_board_depth;
 }
 
diff --git a/mbbsd/brc.c b/mbbsd/brc.c
index f30bef17..2f1639d0 100644
--- a/mbbsd/brc.c
+++ b/mbbsd/brc.c
@@ -371,6 +371,7 @@ brc_initial_board(const char *boardname)
     currbid = getbnum(boardname);
     if( currbid == 0 )
 	currbid = getbnum(DEFAULT_BOARD);
+    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
     currboard = bcache[currbid - 1].brdname;
     currbrdattr = bcache[currbid - 1].brdattr;
 
diff --git a/mbbsd/cache.c b/mbbsd/cache.c
index 2e8d6042..465a59e0 100644
--- a/mbbsd/cache.c
+++ b/mbbsd/cache.c
@@ -506,6 +506,7 @@ setutmpmode(unsigned int mode)
  * section - board cache
  */
 void touchbtotal(int bid) {
+    assert(0<=bid-1 && bid-1<MAX_BOARD);
     SHM->total[bid - 1] = 0;
     SHM->lastposttime[bid - 1] = 0;
 }
@@ -644,6 +645,7 @@ reset_board(int bid) /* XXXbid: from 1 */
 
     if (--bid < 0)
 	return;
+    assert(0<=bid && bid<MAX_BOARD);
     if (SHM->Bbusystate || COMMON_TIME - SHM->busystate_b[bid] < 10) {
 	safe_sleep(1);
     } else {
@@ -685,6 +687,7 @@ setbottomtotal(int bid)
     char            fname[PATHLEN];
     int             n;
 
+    assert(0<=bid-1 && bid-1<MAX_BOARD);
     if(!bh->brdname[0]) return;
     setbfile(fname, bh->brdname, ".DIR.bottom");
     n = get_num_records(fname, sizeof(fileheader_t));
@@ -707,11 +710,13 @@ setbtotal(int bid)
     char            genbuf[256];
     int             num, fd;
 
+    assert(0<=bid-1 && bid-1<MAX_BOARD);
     setbfile(genbuf, bh->brdname, ".DIR");
     if ((fd = open(genbuf, O_RDWR)) < 0)
 	return;			/* .DIR掛了 */
     fstat(fd, &st);
     num = st.st_size / sizeof(fileheader_t);
+    assert(0<=bid-1 && bid-1<MAX_BOARD);
     SHM->total[bid - 1] = num;
 
     if (num > 0) {
@@ -728,6 +733,7 @@ void
 touchbpostnum(int bid, int delta)
 {
     int            *total = &SHM->total[bid - 1];
+    assert(0<=bid-1 && bid-1<MAX_BOARD);
     if (*total)
 	*total += delta;
 }
@@ -770,6 +776,7 @@ haspostperm(const char *bname)
 
     if (!(i = getbnum(bname)))
 	return 0;
+    assert(0<=i-1 && i-1<MAX_BOARD);
 
     if (bcache[i - 1].brdattr & BRD_GUESTPOST)
         return 1;
@@ -799,6 +806,7 @@ void buildBMcache(int bid) /* bid starts from 1 */
     char    s[IDLEN * 3 + 3], *ptr;
     int     i, uid;
 
+    assert(0<=bid-1 && bid-1<MAX_BOARD);
     strlcpy(s, getbcache(bid)->BM, sizeof(s));
     for( i = 0 ; s[i] != 0 ; ++i )
 	if( !isalpha((int)s[i]) && !isdigit((int)s[i]) )
@@ -815,6 +823,7 @@ void buildBMcache(int bid) /* bid starts from 1 */
 
 int is_BM_cache(int bid) /* bid starts from 1 */
 {
+    assert(0<=bid-1 && bid-1<MAX_BOARD);
     --bid;
     // XXX hard coded MAX_BMs=4
     if( currutmp->uid == SHM->BMcache[bid][0] ||
@@ -1006,6 +1015,7 @@ hbflreload(int bid)
     char            buf[128];
     FILE           *fp;
 
+    assert(0<=bid-1 && bid-1<MAX_BOARD);
     memset(hbfl, 0, sizeof(hbfl));
     setbfile(buf, bcache[bid - 1].brdname, fn_visable);
     if ((fp = fopen(buf, "r")) != NULL) {
@@ -1036,6 +1046,7 @@ hbflcheck(int bid, int uid)
 {
     int             i;
 
+    assert(0<=bid-1 && bid-1<MAX_BOARD);
     if (SHM->hbfl[bid-1][0] < login_start_time - HBFLexpire)
 	hbflreload(bid);
     for (i = 1; SHM->hbfl[bid-1][i] != 0 && i <= MAX_FRIEND; ++i) {
diff --git a/mbbsd/fav.c b/mbbsd/fav.c
index bf1c7b7e..fa7d144c 100644
--- a/mbbsd/fav.c
+++ b/mbbsd/fav.c
@@ -207,6 +207,7 @@ char *get_item_title(fav_type_t *ft)
 {
     switch (get_item_type(ft)){
 	case FAVT_BOARD:
+	    assert(0<=cast_board(ft)->bid-1 && cast_board(ft)->bid-1<MAX_BOARD);
 	    return bcache[cast_board(ft)->bid - 1].brdname;
 	case FAVT_FOLDER:
 	    return cast_folder(ft)->title;
@@ -220,6 +221,7 @@ static char *get_item_class(fav_type_t *ft)
 {
     switch (get_item_type(ft)){
 	case FAVT_BOARD:
+	    assert(0<=cast_board(ft)->bid-1 && cast_board(ft)->bid-1<MAX_BOARD);
 	    return bcache[cast_board(ft)->bid - 1].title;
 	case FAVT_FOLDER:
 	    return "目錄";
@@ -691,6 +693,7 @@ fav_type_t *getadmtag(short bid)
     int i;
     fav_t *fp = get_fav_root();
     fav_type_t *ft;
+    assert(0<=bid-1 && bid-1<MAX_BOARD);
     for (i = 0; i < fp->DataTail; i++) {
 	ft = &fp->favh[i];
 	if (get_item_type(ft) == FAVT_BOARD && cast_board(ft)->bid == bid && is_set_attr(ft, FAVH_ADM_TAG))
@@ -701,6 +704,7 @@ fav_type_t *getadmtag(short bid)
 
 fav_type_t *getboard(short bid)
 {
+    assert(0<=bid-1 && bid-1<MAX_BOARD);
     return get_fav_item(bid, FAVT_BOARD);
 }
 
diff --git a/mbbsd/friend.c b/mbbsd/friend.c
index e3fa11b6..8f62713f 100644
--- a/mbbsd/friend.c
+++ b/mbbsd/friend.c
@@ -454,8 +454,10 @@ friend_edit(int type)
 	} else if (type == BOARD_WATER) {
 	    boardheader_t *bp = NULL;
 	    currbid = getbnum(currboard);
+	    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
 	    bp = getbcache(currbid);
 	    bp->perm_reload = now;
+	    assert(0<=currbid-1 && currbid-1<MAX_BOARD);
 	    substitute_record(fn_board, bp, sizeof(boardheader_t), currbid);
 	    // log_usies("SetBoard", bp->brdname);
 	}
diff --git a/mbbsd/io.c b/mbbsd/io.c
index b933616a..c1efde24 100644
--- a/mbbsd/io.c
+++ b/mbbsd/io.c
@@ -825,6 +825,7 @@ oldgetdata(int line, int col, const char *prompt, char *buf, int len, int echo)
 	}
 
 	while (1) {
+	    assert(0<=clen);
 	    if(dirty_line) {
 		move(line, col);
 		clrtoeol();
@@ -844,6 +845,7 @@ oldgetdata(int line, int col, const char *prompt, char *buf, int len, int echo)
 
 	    if ((ch = igetch()) == '\r')
 		break;
+	    assert(0<=clen);
 	    switch (ch) {
 	    case KEY_DOWN: case Ctrl('N'):
 	    case KEY_UP:   case Ctrl('P'):
@@ -876,6 +878,7 @@ oldgetdata(int line, int col, const char *prompt, char *buf, int len, int echo)
 			currchar --;
 #endif
 		}
+	    assert(0<=clen);
 		break;
 	    case KEY_RIGHT:
 		if (buf[currchar])
@@ -888,6 +891,7 @@ oldgetdata(int line, int col, const char *prompt, char *buf, int len, int echo)
 			currchar++;
 #endif
 		}
+	    assert(0<=clen);
 		break;
 	    case '\177':
 	    case Ctrl('H'):
@@ -998,6 +1002,7 @@ oldgetdata(int line, int col, const char *prompt, char *buf, int len, int echo)
 		}
 		break;
 	    }			/* end case */
+	    assert(0<=clen);
 	}			/* end while */
 
 	if (clen > 1) {
@@ -1008,6 +1013,8 @@ oldgetdata(int line, int col, const char *prompt, char *buf, int len, int echo)
 	// outc('\n');
 	move(y+1, 0);
 	refresh();
+	assert(0<=currchar && currchar<=clen);
+	assert(0<=clen && clen<=len);
     }
     if ((echo == LCECHO) && isupper((int)buf[0]))
 	buf[0] = tolower(buf[0]);
diff --git a/mbbsd/mail.c b/mbbsd/mail.c
index 2b82fb3e..86c1124b 100644
--- a/mbbsd/mail.c
+++ b/mbbsd/mail.c
@@ -1263,6 +1263,7 @@ mail_cross_post(int ent, fileheader_t * fhdr, const char *direct)
 	return FULLUPDATE;
 
     ent = getbnum(xboard);
+    assert(0<=ent-1 && ent-1<MAX_BOARD);
     if ( !((currmode & MODE_BOARD) || HasUserPerm(PERM_SYSOP)) &&
 	    (cuser.firstlogin > (now - (time4_t)bcache[ent - 1].post_limit_regtime * 2592000) ||
 	    cuser.numlogins < ((unsigned int)(bcache[ent - 1].post_limit_logins) * 10) ||
diff --git a/mbbsd/menu.c b/mbbsd/menu.c
index 99c2c8ba..fa111d4f 100644
--- a/mbbsd/menu.c
+++ b/mbbsd/menu.c
@@ -51,6 +51,7 @@ showtitle(const char *title, const char *mid)
 	int bid = getbnum(currboard);
 	if(bid > 0)
 	{
+	    assert(0<=bid-1 && bid-1<MAX_BOARD);
 	    board_hidden_status = ((getbcache(bid)->brdattr & BRD_HIDE) &&
 				   (getbcache(bid)->brdattr & BRD_POSTMASK));
 	    strlcpy(lastboard, currboard, sizeof(lastboard));
diff --git a/mbbsd/stuff.c b/mbbsd/stuff.c
index 37a8ebb1..b4b479f2 100644
--- a/mbbsd/stuff.c
+++ b/mbbsd/stuff.c
@@ -41,6 +41,7 @@ void
 sethomefile(char *buf, const char *userid, const char *fname)
 {
     assert(is_validuserid(userid));
+    assert(fname[0]);
     snprintf(buf, PATHLEN, str_home_file, userid[0], userid, fname);
 }
 
@@ -48,30 +49,35 @@ void
 setuserfile(char *buf, const char *fname)
 {
     assert(is_validuserid(cuser.userid));
+    assert(fname[0]);
     snprintf(buf, PATHLEN, str_home_file, cuser.userid[0], cuser.userid, fname);
 }
 
 void
 setapath(char *buf, const char *boardname)
 {
+    //assert(boardname[0]);
     snprintf(buf, PATHLEN, "man/boards/%c/%s", boardname[0], boardname);
 }
 
 void
 setadir(char *buf, const char *path)
 {
+    //assert(path[0]);
     snprintf(buf, PATHLEN, "%s/%s", path, str_dotdir);
 }
 
 void
 setbpath(char *buf, const char *boardname)
 {
+    //assert(boardname[0]);
     snprintf(buf, PATHLEN, "boards/%c/%s", boardname[0], boardname);
 }
 
 void
 setbdir(char *buf, const char *boardname)
 {
+    //assert(boardname[0]);
     snprintf(buf, PATHLEN, str_board_file, boardname[0], boardname,
 	    (currmode & MODE_DIGEST ? fn_mandex : str_dotdir));
 }
@@ -79,12 +85,16 @@ setbdir(char *buf, const char *boardname)
 void
 setbfile(char *buf, const char *boardname, const char *fname)
 {
+    //assert(boardname[0]);
+    assert(fname[0]);
     snprintf(buf, PATHLEN, str_board_file, boardname[0], boardname, fname);
 }
 
 void
 setbnfile(char *buf, const char *boardname, const char *fname, int n)
 {
+    //assert(boardname[0]);
+    assert(fname[0]);
     snprintf(buf, PATHLEN, str_board_n_file, boardname[0], boardname, fname, n);
 }
 
diff --git a/mbbsd/vote.c b/mbbsd/vote.c
index e12d72f0..62fa1c3b 100644
--- a/mbbsd/vote.c
+++ b/mbbsd/vote.c
@@ -534,6 +534,7 @@ vote_view(vote_buffer_t *vbuf, const char *bname, int vote_index)
     fclose(fp);
     free(counts);
     pos = getbnum(bname);
+    assert(0<=pos-1 && pos-1<MAX_BOARD);
     fhp = bcache + pos - 1;
     move(t_lines - 3, 0);
     prints("◆ 目前總票數 = %d 票", total);
@@ -634,6 +635,7 @@ vote_maintain(const char *bname)
     if ((pos = getbnum(bname)) <= 0)
 	return 0;
 
+    assert(0<=pos-1 && pos-1<MAX_BOARD);
     fhp = bcache + pos - 1;
 
     if (fhp->bvote != 0) {
@@ -918,6 +920,7 @@ user_vote_one(vote_buffer_t *vbuf, const char *bname, int ind)
     if ((pos = getbnum(bname)) <= 0)
 	return 0;
 
+    assert(0<=pos-1 && pos-1<MAX_BOARD);
     fhp = bcache + pos - 1;
 #if 0 // backward compatible
     setbfile(buf, bname, STR_new_control);
@@ -1096,6 +1099,7 @@ user_vote(const char *bname)
     if ((pos = getbnum(bname)) <= 0)
 	return 0;
 
+    assert(0<=pos-1 && pos-1<MAX_BOARD);
     fhp = bcache + pos - 1;
 
     move(0, 0);
diff --git a/mbbsd/voteboard.c b/mbbsd/voteboard.c
index ac237f58..ff89ec1a 100644
--- a/mbbsd/voteboard.c
+++ b/mbbsd/voteboard.c
@@ -271,6 +271,7 @@ do_voteboard(int type)
 		 "%s\n\n%s%s\n%s", "罷免板主", "英文名稱: ",
 		 topic, "板主 ID : ");
         temp=getbnum(topic);
+	assert(0<=temp-1 && temp-1<MAX_BOARD);
 	do {
 	    if (!getdata(7, 0, "請輸入板主ID：", topic, IDLEN + 1, DOECHO))
 		return FULLUPDATE;
-- 
cgit v1.2.3