gl_model.c: Mod_LoadTextures: avoid crash on broken maps such as jam2_tronyn.bsp or kellbase1.bsp, where we try to read texture pixel data past the end of the texture lump (crashing because the textue lump is the last thing in the .bsp file buffer).

This would only hapen on OS X or Linux (perhaps just luck or windows is more leniant about reading ~40 bytes past the end of a malloc). Note this will only handle cases where the lump size is recorded as being too small, we will still crash if the bsp file itself is truncated since there are generally no checks against the whole .bsp file buffer size.

FYI, the corruption in jam2_tronyn.bsp was caused by a bug in tyrutils which is fixed now: http://disenchant.net/git/?p=tyrutils&a=commit&h=5111c5485c96918b937843715f9b8f51f263e40e
Not sure about kellbase1.bsp (quoth).

git-svn-id: svn+ssh://svn.code.sf.net/p/quakespasm/code/trunk@1228 af15c1b1-3010-417e-b628-4374ebc0bcbd

quakespasm/Quake/gl_model.c

@@ -442,6 +442,16 @@ void Mod_LoadTextures (lump_t *l)
 		for (j=0 ; j<MIPLEVELS ; j++)
 			tx->offsets[j] = mt->offsets[j] + sizeof(texture_t) - sizeof(miptex_t);
 		// the pixels immediately follow the structures
+
+		// ericw -- check for pixels extending past the end of the lump.
+		// appears in the wild; e.g. jam2_tronyn.bsp (func_mapjam2),
+		// kellbase1.bsp (quoth), and can lead to a segfault if we read past
+		// the end of the .bsp file buffer
+		if (((byte*)(mt+1) + pixels) > (mod_base + l->fileofs + l->filelen))
+		{
+			Con_DPrintf("Texture %s extends past end of lump\n", mt->name);
+			pixels = q_max(0, (mod_base + l->fileofs + l->filelen) - (byte*)(mt+1));
+		}
 		memcpy ( tx+1, mt+1, pixels);
 
 		tx->update_warp = false; //johnfitz