From 843716dfd89476bb18067c70b03a4c0e01421afe Mon Sep 17 00:00:00 2001
From: halbeno <blahone.zero@gmail.com>
Date: Tue, 22 May 2018 17:37:59 -0600
Subject: [PATCH] Check input string length before checking fourth byte. (For
 the case of '/j\n', joining with no channel)

---
 ii.c | 32 +++++++++++++++++---------------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/ii.c b/ii.c
index ad59064..ce723cf 100644
--- a/ii.c
+++ b/ii.c
@@ -470,21 +470,23 @@ proc_channels_input(int ircfd, Channel *c, char *buf)
 	if (buf[2] == ' ' || buf[2] == '\0') {
 		switch (buf[1]) {
 		case 'j': /* join */
-			if ((p = strchr(&buf[3], ' '))) /* password parameter */
-				*p = '\0';
-			if ((buf[3] == '#') || (buf[3] == '&') || (buf[3] == '+') ||
-				(buf[3] == '!'))
-			{
-				/* password protected channel */
-				if (p)
-					snprintf(msg, sizeof(msg), "JOIN %s %s\r\n", &buf[3], p + 1);
-				else
-					snprintf(msg, sizeof(msg), "JOIN %s\r\n", &buf[3]);
-				channel_join(&buf[3]);
-			} else if (p) {
-				if ((c = channel_join(&buf[3])))
-					proc_channels_privmsg(ircfd, c, p + 1);
-				return;
+			if (buflen >= 3) {
+				if ((p = strchr(&buf[3], ' '))) /* password parameter */
+					*p = '\0';
+				if ((buf[3] == '#') || (buf[3] == '&') || (buf[3] == '+') ||
+					(buf[3] == '!'))
+				{
+					/* password protected channel */
+					if (p)
+						snprintf(msg, sizeof(msg), "JOIN %s %s\r\n", &buf[3], p + 1);
+					else
+						snprintf(msg, sizeof(msg), "JOIN %s\r\n", &buf[3]);
+					channel_join(&buf[3]);
+				} else if (p) {
+					if ((c = channel_join(&buf[3])))
+						proc_channels_privmsg(ircfd, c, p + 1);
+					return;
+				}
 			}
 			break;
 		case 't': /* topic */
-- 
2.17.0