From ed5f6a81da26719e1c0a8c381bd9d1ae8a38fc22 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 24 Apr 2026 10:22:01 +0000
Subject: [PATCH] Fix stack buffer overflow in var_subst() (dg_variables.c)

Agent-Logs-Url: https://github.com/tbamud/tbamud/sessions/5e320127-5bfa-499e-9776-e8a6cdd06bde

Co-authored-by: welcor <357770+welcor@users.noreply.github.com>
---
 src/dg_variables.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/dg_variables.c b/src/dg_variables.c
index dd6b11a..2f4e214 100644
--- a/src/dg_variables.c
+++ b/src/dg_variables.c
@@ -1636,6 +1636,13 @@ void var_subst(void *go, struct script_data *sc, trig_data *trig,
   int paren_count = 0;
   int dots = 0;
 
+  /* reject lines that would overflow our fixed-size buffers */
+  if (strnlen(line, MAX_INPUT_LENGTH) >= MAX_INPUT_LENGTH) {
+    script_log("Trigger VNum %d: variable substitution line too long, ignoring.", GET_TRIG_VNUM(trig));
+    *buf = '\0';
+    return;
+  }
+
   /* skip out if no %'s */
   if (!strchr(line, '%')) {
     strcpy(buf, line);