Fix internal line editor buffer overflow (heap corruption)

... wasn't accounting for length of the 'top' buffer (when supplied). Also, for raw input mode: - flush the input buffer (stray LF) before accepting input - turn off raw input mode if run out of bytes (max lines/length reached) I was investigating the reported error by Nelgin: !ERROR in writemsg.cpp line 1214 (msgeditor) checking "max lines (20) exceeded" access=46 which I was unable to reproduce, when I encountered the issues addressed in this commit.

Fix internal line editor buffer overflow (heap corruption)
daf8fa55 · Rob Swindell · b256f4ae · daf8fa55
Commit daf8fa55 authored 1 year ago by Rob Swindell
--- a/src/sbbs3/writemsg.cpp
+++ b/src/sbbs3/writemsg.cpp
@@ -293,7 +293,7 @@ bool sbbs_t::writemsg(const char *fname, const char *top, char *subj, int mode,
 	if(editor!=NULL)
 		*editor=NULL;
-	if((buf=(char*)malloc((cfg.level_linespermsg[useron_level]*MAX_LINE_LEN) + 1))
+	if((buf=(char*)malloc(strlen(top) + (cfg.level_linespermsg[useron_level]*MAX_LINE_LEN) + 1))
 		==NULL) {
 		errormsg(WHERE,ERR_ALLOC,fname
 			,(cfg.level_linespermsg[useron_level]*MAX_LINE_LEN) +1);
@@ -530,6 +530,7 @@ bool sbbs_t::writemsg(const char *fname, const char *top, char *subj, int mode,
 		bprintf(text[EnterMsgNowRaw]
 			,(ulong)cfg.level_linespermsg[useron_level]*MAX_LINE_LEN);
+		rioctl(IOFI);       // flush input buffer (e.g. stray LFs in input)
 		if(top[0] && !(mode&WM_NOTOP)) {
 			strcpy((char *)buf,top);
 			l=strlen((char *)buf);
@@ -555,6 +556,7 @@ bool sbbs_t::writemsg(const char *fname, const char *top, char *subj, int mode,
 			outchar(c);
 			buf[l++]=c;
 		}
+		console &= ~CON_RAW_IN; // Turn off raw input mode in case the input exceeded length limit
 		buf[l]=0;
 		if(l==(ulong)cfg.level_linespermsg[useron_level]*MAX_LINE_LEN)
 			bputs(text[OutOfBytes]);