commit 63df5c26a981d4ade2f1fec2b76b2e0e8ae21c24
from: Markus Uhlin <markus@nifty-networks.net>
via: GitHub <noreply@github.com>
date: Sat Aug 16 23:03:29 2025 UTC

Potential fix for code scanning alert no. 9: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

commit - 0725a74c6c03ed0c50b100026f7163eb7887ec38
commit + 63df5c26a981d4ade2f1fec2b76b2e0e8ae21c24
blob - 73c1ae0884f309341d57fca1d362a5326ffcae30
blob + 4d0fe29067ab3e3f7f5dc3c51b158a37788c6ab5
--- FICS/obsproc.c
+++ FICS/obsproc.c
@@ -1003,6 +1003,12 @@ FindHistory(int p, int p1, int p_game)
 
 	fclose(fpHist);
 
+	/* Validate 'when' before using it in a path */
+	if (when <= 0 || when > 9999999999L) {
+		pprintf(p, "Corrupt history data for %s (invalid timestamp).\n", parray[p1].name);
+		return NULL;
+	}
+
 	msnprintf(fileName, sizeof fileName, "%s/%ld/%ld", hist_dir,
 	    (when % 100), when);
 	return (&fileName[0]);