From 429b29a669cb05af71a1648c45c3da0ec467a6a7 Mon Sep 17 00:00:00 2001
From: Eric Wasylishen <ewasylishen@gmail.com>
Date: Thu, 12 Sep 2019 04:06:54 +0000
Subject: [PATCH] Sky_NewMap: avoid stack buffer underflow on the "remove
 trailing spaces" line that happened if a map had an empty string worldspawn
 key, detected by ASan on macOS with demo_map.bsp from SlayerTest.

Also prevent the strcpy's from overflowing the buffers in case of long
keys.

git-svn-id: svn://svn.code.sf.net/p/quakespasm/code/trunk/quakespasm@1624 af15c1b1-3010-417e-b628-4374ebc0bcbd
---
 Quake/gl_fog.c   | 8 ++++----
 Quake/gl_rmisc.c | 8 ++++----
 Quake/gl_sky.c   | 8 ++++----
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/Quake/gl_fog.c b/Quake/gl_fog.c
index e0e3996a..081c3641 100644
--- a/Quake/gl_fog.c
+++ b/Quake/gl_fog.c
@@ -205,15 +205,15 @@ void Fog_ParseWorldspawn (void)
 		if (com_token[0] == '}')
 			break; // end of worldspawn
 		if (com_token[0] == '_')
-			strcpy(key, com_token + 1);
+			q_strlcpy(key, com_token + 1, sizeof(key));
 		else
-			strcpy(key, com_token);
-		while (key[strlen(key)-1] == ' ') // remove trailing spaces
+			q_strlcpy(key, com_token, sizeof(key));
+		while (strlen(key) > 0 && key[strlen(key)-1] == ' ') // remove trailing spaces
 			key[strlen(key)-1] = 0;
 		data = COM_Parse(data);
 		if (!data)
 			return; // error
-		strcpy(value, com_token);
+		q_strlcpy(value, com_token, sizeof(value));
 
 		if (!strcmp("fog", key))
 		{
diff --git a/Quake/gl_rmisc.c b/Quake/gl_rmisc.c
index 4e742a80..2fa373f0 100644
--- a/Quake/gl_rmisc.c
+++ b/Quake/gl_rmisc.c
@@ -352,15 +352,15 @@ static void R_ParseWorldspawn (void)
 		if (com_token[0] == '}')
 			break; // end of worldspawn
 		if (com_token[0] == '_')
-			strcpy(key, com_token + 1);
+			q_strlcpy(key, com_token + 1, sizeof(key));
 		else
-			strcpy(key, com_token);
-		while (key[strlen(key)-1] == ' ') // remove trailing spaces
+			q_strlcpy(key, com_token, sizeof(key));
+		while (strlen(key) > 0 && key[strlen(key)-1] == ' ') // remove trailing spaces
 			key[strlen(key)-1] = 0;
 		data = COM_Parse(data);
 		if (!data)
 			return; // error
-		strcpy(value, com_token);
+		q_strlcpy(value, com_token, sizeof(value));
 
 		if (!strcmp("wateralpha", key))
 			map_wateralpha = atof(value);
diff --git a/Quake/gl_sky.c b/Quake/gl_sky.c
index 7c9cf639..3119ebe5 100644
--- a/Quake/gl_sky.c
+++ b/Quake/gl_sky.c
@@ -248,15 +248,15 @@ void Sky_NewMap (void)
 		if (com_token[0] == '}')
 			break; // end of worldspawn
 		if (com_token[0] == '_')
-			strcpy(key, com_token + 1);
+			q_strlcpy(key, com_token + 1, sizeof(key));
 		else
-			strcpy(key, com_token);
-		while (key[strlen(key)-1] == ' ') // remove trailing spaces
+			q_strlcpy(key, com_token, sizeof(key));
+		while (strlen(key) > 0 && key[strlen(key)-1] == ' ') // remove trailing spaces
 			key[strlen(key)-1] = 0;
 		data = COM_Parse(data);
 		if (!data)
 			return; // error
-		strcpy(value, com_token);
+		q_strlcpy(value, com_token, sizeof(value));
 
 		if (!strcmp("sky", key))
 			Sky_LoadSkyBox(value);