Improve overflow fix: use goto for cleanup, free temp_queue on error, check all write paths

Agent-Logs-Url: https://github.com/tbamud/tbamud/sessions/2a126e43-3602-48d0-9027-2e7c2021a94c Co-authored-by: welcor <357770+welcor@users.noreply.github.com>
2026-04-30 04:41:51 +02:00 · 2026-04-24 10:23:49 +00:00
parent 853806b812
commit 96dfc6fb09
1 changed files with 22 additions and 10 deletions
--- a/src/interpreter.c
+++ b/src/interpreter.c
@@ -671,6 +671,7 @@ ACMD(do_alias)
 static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alias_data *a, struct char_data *ch)
 {
  struct txt_q temp_queue;
+  struct txt_block *qtmp;
  char *tokens[NUM_TOKENS], *temp, *write_point;
  char buf2[MAX_RAW_INPUT_LENGTH], buf[MAX_RAW_INPUT_LENGTH];	/* raw? */
  int num_of_tokens = 0, num;
@@ -697,26 +698,27 @@ static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alia
    } else if (*temp == ALIAS_VAR_CHAR) {
      temp++;
      if ((num = *temp - '1') < num_of_tokens && num >= 0) {
-        if ((write_point - buf) + strlen(tokens[num]) >= MAX_RAW_INPUT_LENGTH) {
-          send_to_char(ch, "Alias expansion too long.\r\n");
-          return;
-        }
+        if ((write_point - buf) + strlen(tokens[num]) >= MAX_RAW_INPUT_LENGTH)
+          goto overflow;
 	strcpy(write_point, tokens[num]);
 	write_point += strlen(tokens[num]);
      } else if (*temp == ALIAS_GLOB_CHAR) {
        skip_spaces(&orig);
-        if ((write_point - buf) + strlen(orig) >= MAX_RAW_INPUT_LENGTH) {
-          send_to_char(ch, "Alias expansion too long.\r\n");
-          return;
-        }
+        if ((write_point - buf) + strlen(orig) >= MAX_RAW_INPUT_LENGTH)
+          goto overflow;
        strcpy(write_point, orig);
 	write_point += strlen(orig);
-      } else if (write_point - buf + 2 < MAX_RAW_INPUT_LENGTH) {
+      } else {
+        if (write_point - buf + 2 >= MAX_RAW_INPUT_LENGTH)
+          goto overflow;
        if ((*(write_point++) = *temp) == '$')	/* redouble $ for act safety */
 	  *(write_point++) = '$';
      }
-    } else if (write_point - buf + 1 < MAX_RAW_INPUT_LENGTH)
+    } else {
+      if (write_point - buf + 1 >= MAX_RAW_INPUT_LENGTH)
+        goto overflow;
      *(write_point++) = *temp;
+    }
  }

  *write_point = '\0';
@@ -730,6 +732,16 @@ static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alia
    temp_queue.tail->next = input_q->head;
    input_q->head = temp_queue.head;
  }
+  return;
+
+overflow:
+  send_to_char(ch, "Alias expansion too long.\r\n");
+  while (temp_queue.head) {
+    qtmp = temp_queue.head;
+    temp_queue.head = qtmp->next;
+    free(qtmp->text);
+    free(qtmp);
+  }
 }

 /* Given a character and a string, perform alias replacement on it.