ED_ParseEpair: don't read garbage into vectors if the string is too short

This is a bug from vanilla. Shows up in qump_vingal.bsp from QUMP, which has func_illusionary entities with "origin" "". Example are the torch holders before the first door in the map. Prior to this commit the vector would possibly get a garbage value, depending on what was on the stack. see: http://celephais.net/board/view_thread.php?id=61523&start=53&end=61 git-svn-id: svn://svn.code.sf.net/p/quakespasm/code/trunk/quakespasm@1527 af15c1b1-3010-417e-b628-4374ebc0bcbd
2017-11-07 21:49:32 +00:00 · 2017-11-07 21:49:32 +00:00 · 78970b5323
parent bbcdd9cbac
commit 78970b5323
1 changed files with 15 additions and 2 deletions
--- a/Quake/pr_edict.c
+++ b/Quake/pr_edict.c
@ -777,6 +777,7 @@ static qboolean	ED_ParseEpair (void *base, ddef_t *key, const char *s)
 	char	string[128];
 	ddef_t	*def;
 	char	*v, *w;
+	char	*end;
 	void	*d;
 	dfunction_t	*func;

@ -793,17 +794,29 @@ static qboolean	ED_ParseEpair (void *base, ddef_t *key, const char *s)
 		break;

 	case ev_vector:
-		strcpy (string, s);
+		q_strlcpy(string, s, sizeof(string));
+		end = (char *)string + strlen(string);
 		v = string;
 		w = string;
-		for (i = 0; i < 3; i++)
+			
+		for (i = 0; i < 3 && (w <= end); i++) // ericw -- added (w <= end) check
 		{
+		// set `v` to the next space (or 0 byte), and change that char to a 0 byte
 			while (*v && *v != ' ')
 				v++;
 			*v = 0;
 			((float *)d)[i] = atof (w);
 			w = v = v+1;
 		}
+			
+	// ericw -- fill remaining elements to 0.0f in case we hit the end of string before reading 3 floats
+		if (i < 3)
+		{
+			if (developer.value)
+				Con_DWarning("vanilla will read garbage for \"%s\" \"%s\"\n", PR_GetString(key->s_name), s);
+			for (; i < 3; i++)
+				((float *)d)[i] = 0.0f;
+		}
 		break;

 	case ev_entity: