From 413272b977613a524556c6b1b9425a4dcf7e4c9f Mon Sep 17 00:00:00 2001
From: Eric Wasylishen <ewasylishen@gmail.com>
Date: Mon, 8 Jan 2018 05:02:14 +0000
Subject: [PATCH] Mod_DecompressVis: don't overflow output buffer given invalid
 visdata

Fixes crash on death32c.bsp:
http://sourceforge.net/p/quakespasm/bugs/25/

git-svn-id: svn://svn.code.sf.net/p/quakespasm/code/trunk/quakespasm@1548 af15c1b1-3010-417e-b628-4374ebc0bcbd
---
 Quake/gl_model.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/Quake/gl_model.c b/Quake/gl_model.c
index dbbb074f..6ead1e2d 100644
--- a/Quake/gl_model.c
+++ b/Quake/gl_model.c
@@ -132,6 +132,7 @@ byte *Mod_DecompressVis (byte *in, qmodel_t *model)
 {
 	int		c;
 	byte	*out;
+	byte	*outend;
 	int		row;
 
 	row = (model->numleafs+7)>>3;
@@ -143,6 +144,7 @@ byte *Mod_DecompressVis (byte *in, qmodel_t *model)
 			Sys_Error ("Mod_DecompressVis: realloc() failed on %d bytes", mod_decompressed_capacity);
 	}
 	out = mod_decompressed;
+	outend = mod_decompressed + row;
 
 #if 0
 	memcpy (out, in, row);
@@ -169,6 +171,16 @@ byte *Mod_DecompressVis (byte *in, qmodel_t *model)
 		in += 2;
 		while (c)
 		{
+			if (out == outend)
+			{
+				static qboolean warned = false;
+				if (!warned)
+				{
+					warned = true;
+					Con_Printf("Mod_DecompressVis: output overrun on model \"%s\"\n", model->name);
+				}
+				return mod_decompressed;
+			}
 			*out++ = 0;
 			c--;
 		}