From 8f5cb18e315cd162c87e0034880fa4f74a21e37c Mon Sep 17 00:00:00 2001
From: Jordi Mallach <jordi@sindominio.net>
Date: Thu, 17 Aug 2006 12:34:28 +0000
Subject: [PATCH] [CVE-2006-3125] Add index underflow protections where needed.
 Patch from

2006-08-17  Jordi Mallach  <jordi@sindominio.net>

	* src/tetrinet.c: [CVE-2006-3125] Add index underflow protections
	where needed. Patch from Martin Schulze from the Debian Security
	Team. Thanks to Michael Gehring for analysis and proof of concept
	code.
---
 ChangeLog      |  7 +++++++
 src/tetrinet.c | 26 +++++++++++++-------------
 2 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 33227a5..f71190c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2006-08-17  Jordi Mallach  <jordi@sindominio.net>
+
+	* src/tetrinet.c: [CVE-2006-3125] Add index underflow protections
+	where needed. Patch from Martin Schulze from the Debian Security
+	Team. Thanks to Michael Gehring for analysis and proof of concept
+	code.
+
 2006-05-25  Jordi Mallach  <jordi@sindominio.net>
 
 	* configure.in: Switch to IT_PROG_INTLTOOL([0.35.0) and move
diff --git a/src/tetrinet.c b/src/tetrinet.c
index 8752de8..8472643 100644
--- a/src/tetrinet.c
+++ b/src/tetrinet.c
@@ -242,7 +242,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
     case IN_PLAYERNUM:
         pnumrec = 1;
         tmp_pnum = atoi (data);
-        if (tmp_pnum >= MAX_PLAYERS)
+        if (tmp_pnum >= MAX_PLAYERS || tmp_pnum < 0)
           break;
         bigfieldnum = playernum = tmp_pnum;
         if (!connected)
@@ -300,7 +300,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
             token = strtok (data, " ");
             if (token == NULL) break;
             pnum = atoi (token);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum < 0)
               break;
             token = strtok (NULL, "");
             if (token == NULL) break;
@@ -328,7 +328,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
             token = strtok (data, " ");
             if (token == NULL) break;
             pnum = atoi (token);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum < 0)
               break;
             if (!playercount)
               break;
@@ -357,7 +357,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
             token = strtok (data, " ");
             if (token == NULL) break;
             pnum = atoi (token);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum < 0)
               break;
             if ((pnum == playernum) && !spectating)
                 g_snprintf (buf, sizeof(buf),
@@ -386,7 +386,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
             token = strtok (data, " ");
             if (token == NULL) break;
             pnum = atoi (token);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum < 0)
               break;
             token = strtok (NULL, "");
             if (token == NULL) token = "";
@@ -405,7 +405,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
             token = strtok (data, " ");
             if (token == NULL) break;
             pnum = atoi (token);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum < 0)
               break;
             token = strtok (NULL, "");
             if (token == NULL) token = "";
@@ -514,7 +514,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
             token = strtok (data, " ");
             if (token == NULL) break;
             pnum = atoi (token);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum < 0)
               break;
             token = strtok (NULL, "");
             if (token == NULL) token = "";
@@ -526,7 +526,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
         {
             int pnum;
             pnum = atoi (data);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum < 0)
               break;
             /* player is out */
             playerplaying[pnum] = 0;
@@ -536,7 +536,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
         {
             int pnum;
             pnum = atoi (data);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum < 0)
               break;
             if (teamnames[pnum][0])
                 g_snprintf (buf, sizeof(buf),
@@ -681,7 +681,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
             s = strtok (data, " ");
             if (s == NULL) break;
             pnum = atoi (s);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum < 0)
               break;
             s = strtok (NULL, "");
             if (s == NULL) break;
@@ -715,14 +715,14 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
             token = strtok (data, " ");
             if (token == NULL) break;
             to = atoi (token);
-            if (to >= MAX_PLAYERS)
+            if (to >= MAX_PLAYERS || to < 0)
               break;
             sbid = strtok (NULL, " ");
             if (sbid == NULL) break;
             token = strtok (NULL, "");
             if (token == NULL) break;
             from = atoi(token);
-            if (from >= MAX_PLAYERS)
+            if (from >= MAX_PLAYERS || from < 0)
               break;
             for (sbnum = 0; sbinfo[sbnum].id; sbnum ++)
                 if (strcmp (sbid, sbinfo[sbnum].id) == 0) break;
@@ -737,7 +737,7 @@ void tetrinet_inmessage (enum inmsg_type msgtype, char *data)
             token = strtok (data, " ");
             if (token == NULL) break;
             pnum = atoi (token);
-            if (pnum >= MAX_PLAYERS)
+            if (pnum >= MAX_PLAYERS || pnum <= 0)
               break;
             token = strtok (NULL, "");
             if (token == NULL) break;
-- 
2.50.1