From 52dd60dc86f0a0c26eaca2c804ff930a3f571268 Mon Sep 17 00:00:00 2001
From: jfreegman <jfreegman@gmail.com>
Date: Mon, 28 Aug 2017 19:37:19 -0400
Subject: [PATCH] Fix potential int truncation and double-check lengths before
 copy

---
 src/friendlist.c | 15 ++++++++++++---
 src/friendlist.h |  4 ++--
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/src/friendlist.c b/src/friendlist.c
index 7dce1a6..eeb25f8 100644
--- a/src/friendlist.c
+++ b/src/friendlist.c
@@ -153,10 +153,14 @@ static int save_blocklist(char *path)
         }
 
         if (Blocked.list[i].active) {
+            if (Blocked.list[i].namelength > TOXIC_MAX_NAME_LENGTH) {
+                continue;
+            }
+
             BlockedFriend tmp;
             memset(&tmp, 0, sizeof(BlockedFriend));
             tmp.namelength = htons(Blocked.list[i].namelength);
-            memcpy(tmp.name, Blocked.list[i].name, Blocked.list[i].namelength + 1);
+            memcpy(tmp.name, Blocked.list[i].name, Blocked.list[i].namelength + 1);  // Include null byte
             memcpy(tmp.pub_key, Blocked.list[i].pub_key, TOX_PUBLIC_KEY_SIZE);
 
             uint8_t lastonline[sizeof(uint64_t)];
@@ -250,10 +254,15 @@ int load_blocklist(char *path)
         memset(&Blocked.list[i], 0, sizeof(BlockedFriend));
 
         memcpy(&tmp, data + i * sizeof(BlockedFriend), sizeof(BlockedFriend));
+        Blocked.list[i].namelength = ntohs(tmp.namelength);
+
+        if (Blocked.list[i].namelength > TOXIC_MAX_NAME_LENGTH) {
+            continue;
+        }
+
         Blocked.list[i].active = true;
         Blocked.list[i].num = i;
-        Blocked.list[i].namelength = MIN(TOXIC_MAX_NAME_LENGTH, ntohs(tmp.namelength));
-        memcpy(Blocked.list[i].name, tmp.name, Blocked.list[i].namelength + 1);
+        memcpy(Blocked.list[i].name, tmp.name, Blocked.list[i].namelength + 1);   // copy null byte
         memcpy(Blocked.list[i].pub_key, tmp.pub_key, TOX_PUBLIC_KEY_SIZE);
 
         uint8_t lastonline[sizeof(uint64_t)];
diff --git a/src/friendlist.h b/src/friendlist.h
index 230c99a..b2ca025 100644
--- a/src/friendlist.h
+++ b/src/friendlist.h
@@ -44,7 +44,7 @@ struct GroupChatInvite {
 
 typedef struct {
     char name[TOXIC_MAX_NAME_LENGTH + 1];
-    int namelength;
+    uint16_t namelength;
     char statusmsg[TOX_MAX_STATUS_MESSAGE_LENGTH + 1];
     size_t statusmsg_len;
     char pub_key[TOX_PUBLIC_KEY_SIZE];
@@ -65,7 +65,7 @@ typedef struct {
 
 typedef struct {
     char name[TOXIC_MAX_NAME_LENGTH + 1];
-    int namelength;
+    uint16_t namelength;
     char pub_key[TOX_PUBLIC_KEY_SIZE];
     uint32_t num;
     bool active;