ED_ParseEpair: don't read garbage into vectors if the string is too short

This is a bug from vanilla.
Shows up in qump_vingal.bsp from QUMP, which has func_illusionary
entities with "origin" "". Example are the torch holders before
the first door in the map.
Prior to this commit the vector would possibly get a garbage value,
depending on what was on the stack.

see: http://celephais.net/board/view_thread.php?id=61523&start=53&end=61

git-svn-id: svn://svn.code.sf.net/p/quakespasm/code/trunk/quakespasm@1527 af15c1b1-3010-417e-b628-4374ebc0bcbd

Quake/pr_edict.c

@@ -777,6 +777,7 @@ static qboolean	ED_ParseEpair (void *base, ddef_t *key, const char *s)
 	char	string[128];
 	ddef_t	*def;
 	char	*v, *w;
+	char	*end;
 	void	*d;
 	dfunction_t	*func;
 
@@ -793,17 +794,29 @@ static qboolean	ED_ParseEpair (void *base, ddef_t *key, const char *s)
 		break;
 
 	case ev_vector:
-		strcpy (string, s);
+		q_strlcpy(string, s, sizeof(string));
+		end = (char *)string + strlen(string);
 		v = string;
 		w = string;
-		for (i = 0; i < 3; i++)
+			
+		for (i = 0; i < 3 && (w <= end); i++) // ericw -- added (w <= end) check
 		{
+		// set `v` to the next space (or 0 byte), and change that char to a 0 byte
 			while (*v && *v != ' ')
 				v++;
 			*v = 0;
 			((float *)d)[i] = atof (w);
 			w = v = v+1;
 		}
+			
+	// ericw -- fill remaining elements to 0.0f in case we hit the end of string before reading 3 floats
+		if (i < 3)
+		{
+			if (developer.value)
+				Con_DWarning("vanilla will read garbage for \"%s\" \"%s\"\n", PR_GetString(key->s_name), s);
+			for (; i < 3; i++)
+				((float *)d)[i] = 0.0f;
+		}
 		break;
 
 	case ev_entity: