Improve overflow fix: use goto for cleanup, free temp_queue on error, check all write paths

Agent-Logs-Url: https://github.com/tbamud/tbamud/sessions/2a126e43-3602-48d0-9027-2e7c2021a94c

Co-authored-by: welcor <357770+welcor@users.noreply.github.com>

src/dg_variables.c

@@ -1636,13 +1636,6 @@ void var_subst(void *go, struct script_data *sc, trig_data *trig,
   int paren_count = 0;
   int dots = 0;
 
-  /* reject lines that would overflow our fixed-size buffers */
-  if (strnlen(line, MAX_INPUT_LENGTH) >= MAX_INPUT_LENGTH) {
-    script_log("Trigger VNum %d: variable substitution line too long, ignoring.", GET_TRIG_VNUM(trig));
-    *buf = '\0';
-    return;
-  }
-
   /* skip out if no %'s */
   if (!strchr(line, '%')) {
     strcpy(buf, line);

src/interpreter.c

@@ -41,7 +41,7 @@
 /* local (file scope) functions */
 static int perform_dupe_check(struct descriptor_data *d);
 static struct alias_data *find_alias(struct alias_data *alias_list, char *str);
-static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alias_data *a);
+static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alias_data *a, struct char_data *ch);
 static int _parse_name(char *arg, char *name);
 static bool perform_new_char_dupe_check(struct descriptor_data *d);
 /* sort_commands utility */
@@ -668,9 +668,10 @@ ACMD(do_alias)
  * commands. */
 #define NUM_TOKENS       9
 
-static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alias_data *a)
+static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alias_data *a, struct char_data *ch)
 {
   struct txt_q temp_queue;
+  struct txt_block *qtmp;
   char *tokens[NUM_TOKENS], *temp, *write_point;
   char buf2[MAX_RAW_INPUT_LENGTH], buf[MAX_RAW_INPUT_LENGTH];	/* raw? */
   int num_of_tokens = 0, num;
@@ -697,16 +698,27 @@ static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alia
     } else if (*temp == ALIAS_VAR_CHAR) {
       temp++;
       if ((num = *temp - '1') < num_of_tokens && num >= 0) {
-	strcpy(write_point, tokens[num]);	/* strcpy: OK */
+        if ((write_point - buf) + strlen(tokens[num]) >= MAX_RAW_INPUT_LENGTH)
+          goto overflow;
+	strcpy(write_point, tokens[num]);
 	write_point += strlen(tokens[num]);
       } else if (*temp == ALIAS_GLOB_CHAR) {
         skip_spaces(&orig);
-        strcpy(write_point, orig);		/* strcpy: OK */
+        if ((write_point - buf) + strlen(orig) >= MAX_RAW_INPUT_LENGTH)
+          goto overflow;
+        strcpy(write_point, orig);
 	write_point += strlen(orig);
-      } else if ((*(write_point++) = *temp) == '$')	/* redouble $ for act safety */
+      } else {
-	*(write_point++) = '$';
+        if (write_point - buf + 2 >= MAX_RAW_INPUT_LENGTH)
-    } else
+          goto overflow;
+        if ((*(write_point++) = *temp) == '$')	/* redouble $ for act safety */
+	  *(write_point++) = '$';
+      }
+    } else {
+      if (write_point - buf + 1 >= MAX_RAW_INPUT_LENGTH)
+        goto overflow;
       *(write_point++) = *temp;
+    }
   }
 
   *write_point = '\0';
@@ -720,6 +732,16 @@ static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alia
     temp_queue.tail->next = input_q->head;
     input_q->head = temp_queue.head;
   }
+  return;
+
+overflow:
+  send_to_char(ch, "Alias expansion too long.\r\n");
+  while (temp_queue.head) {
+    qtmp = temp_queue.head;
+    temp_queue.head = qtmp->next;
+    free(qtmp->text);
+    free(qtmp);
+  }
 }
 
 /* Given a character and a string, perform alias replacement on it.
@@ -755,7 +777,7 @@ int perform_alias(struct descriptor_data *d, char *orig, size_t maxlen)
     strlcpy(orig, a->replacement, maxlen);
     return (0);
   } else {
-    perform_complex_alias(&d->input, ptr, a);
+    perform_complex_alias(&d->input, ptr, a, d->character);
     return (1);
   }
 }