From 5473e2229dde024a9ecee6d2b065ced3502667f6 Mon Sep 17 00:00:00 2001
From: Ari Johnson <ari@theari.com>
Date: Mon, 22 Oct 2012 14:20:15 -0400
Subject: [PATCH] Detect integer math overflow to avoid division crash

Fixes #273
---
 game/txt/changes/0.73p3 |  1 +
 src/funmath.c           | 46 +++++++++++++++++++++++------------------
 2 files changed, 27 insertions(+), 20 deletions(-)

diff --git a/game/txt/changes/0.73p3 b/game/txt/changes/0.73p3
index 5a42899..2b625a0 100644
--- a/game/txt/changes/0.73p3
+++ b/game/txt/changes/0.73p3
@@ -9,3 +9,4 @@ CobraMUSH Version 0.73p3
 
   Fixes:
     * Rename Idle_Times() to Unidle_Times(), fixes #259 [AEJ]
+    * Detect integer math overflow to avoid crash crash, fixes #273 [AEJ]
diff --git a/src/funmath.c b/src/funmath.c
index a37167e..574180a 100644
--- a/src/funmath.c
+++ b/src/funmath.c
@@ -1917,6 +1917,8 @@ MATH_FUNC(math_div)
 
   for (n = 1; n < nptr; n++) {
     int temp;
+    div_t q;
+
     if (!is_integer(ptr[n])) {
       safe_str(T(e_ints), buff, bp);
       return;
@@ -1928,17 +1930,13 @@ MATH_FUNC(math_div)
       return;
     }
 
-    if (divresult < 0) {
-      if (temp < 0)
-        divresult = -divresult / -temp;
-      else
-        divresult = -(-divresult / temp);
-    } else {
-      if (temp < 0)
-        divresult = -(divresult / -temp);
-      else
-        divresult = divresult / temp;
+    if (divresult == INT_MAX && temp == -1) {
+      safe_str(T("#-1 DOMAIN ERROR"), buff, bp);
+      return;
     }
+
+    q = div(divresult, temp);
+    divresult = q.quot;
   }
   safe_integer(divresult, buff, bp);
 }
@@ -1972,6 +1970,11 @@ MATH_FUNC(math_floordiv)
       return;
     }
 
+    if (divresult == INT_MIN && temp == -1) {
+      safe_str(T("#-1 DOMAIN ERROR"), buff, bp);
+      return;
+    }
+
     if (divresult < 0) {
       if (temp < 0)
         divresult = -divresult / -temp;
@@ -2051,6 +2054,11 @@ MATH_FUNC(math_modulo)
       return;
     }
 
+    if (divresult == INT_MIN && temp == -1) {
+      safe_str(T("#-1 DOMAIN ERROR"), buff, bp);
+      return;
+    }
+
     if (divresult < 0) {
       if (temp < 0)
         divresult = -(-divresult % -temp);
@@ -2084,6 +2092,8 @@ MATH_FUNC(math_remainder)
 
   for (n = 1; n < nptr; n++) {
     int temp;
+    div_t r;
+
     if (!is_integer(ptr[n])) {
       safe_str(T(e_ints), buff, bp);
       return;
@@ -2095,17 +2105,13 @@ MATH_FUNC(math_remainder)
       return;
     }
 
-    if (divresult < 0) {
-      if (temp < 0)
-        divresult = -(-divresult % -temp);
-      else
-        divresult = -(-divresult % temp);
-    } else {
-      if (temp < 0)
-        divresult = divresult % -temp;
-      else
-        divresult = divresult % temp;
+    if (divresult == INT_MIN && temp == -1) {
+      safe_str(T("#-1 DOMAIN ERROR"), buff, bp);
+      return;
     }
+
+    r = div(divresult, temp);
+    divresult = r.rem;
   }
   safe_integer(divresult, buff, bp);
 }
-- 
2.30.2