Merge r5 from branches/ircii-pana-1.1 (fixes for CVE-2007-3360).

git-svn-id: svn://svn.code.sf.net/p/bitchx/code/trunk@36 13b04d17-f746-0410-82c6-800466cd88b0
2008-05-07 10:26:50 +00:00
parent ec0201e8a5
commit a9267d0716
2 changed files with 7 additions and 3 deletions
--- a/source/hook.c
+++ b/source/hook.c
@@ -68,6 +68,7 @@ NumericList *dll_numeric_list	= NULL;
 #endif

 /* hook_functions: the list of all hook functions available */
+#define HOOK_COUNT (sizeof hook_functions / sizeof *hook_functions)
 HookFunc hook_functions[] =
 {
 	{ "ACTION",		NULL,	3,	0,	0 },
@@ -855,7 +856,7 @@ int 	BX_do_hook (int which, char *format, ...)
 	}

 	/* Named list */
-	else
+	else if (which < HOOK_COUNT)
 	{
 		/*
 		 * If we're already executing the type, and we're
@@ -872,7 +873,10 @@ int 	BX_do_hook (int which, char *format, ...)
 			strncpy(hook_name, hook_functions[which].name, BIG_BUFFER_SIZE);
 		}
 	}
-
+    else /* invalid hook */
+    {
+        list = NULL;
+    }

 	/*
 	 * Press the buffer using the specified format string and args
--- a/source/parse.c
+++ b/source/parse.c
@@ -1908,7 +1908,7 @@ void parse_server(char *orig_line)
 	 * of compares.)  I will be doing more testing in the future on
 	 * a live client to see if this is a reasonable order.
 	 */
-	if ((numeric = atoi(comm)))
+	if ((numeric = atoi(comm)) > 0) /* numbered_command can't handle -ves */
 		numbered_command(from, numeric, ArgList);
 	else
 	{