From c9274d0feb461e854df77bf60df5b372bab3e212 Mon Sep 17 00:00:00 2001 From: ewasylishen Date: Tue, 7 Nov 2017 21:49:32 +0000 Subject: [PATCH] ED_ParseEpair: don't read garbage into vectors if the string is too short This is a bug from vanilla. Shows up in qump_vingal.bsp from QUMP, which has func_illusionary entities with "origin" "". Example are the torch holders before the first door in the map. Prior to this commit the vector would possibly get a garbage value, depending on what was on the stack. see: http://celephais.net/board/view_thread.php?id=61523&start=53&end=61 git-svn-id: svn+ssh://svn.code.sf.net/p/quakespasm/code/trunk@1527 af15c1b1-3010-417e-b628-4374ebc0bcbd --- quakespasm/Quake/pr_edict.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/quakespasm/Quake/pr_edict.c b/quakespasm/Quake/pr_edict.c index 5c8fc2f0..562bb930 100644 --- a/quakespasm/Quake/pr_edict.c +++ b/quakespasm/Quake/pr_edict.c @@ -777,6 +777,7 @@ static qboolean ED_ParseEpair (void *base, ddef_t *key, const char *s) char string[128]; ddef_t *def; char *v, *w; + char *end; void *d; dfunction_t *func; @@ -793,17 +794,29 @@ static qboolean ED_ParseEpair (void *base, ddef_t *key, const char *s) break; case ev_vector: - strcpy (string, s); + q_strlcpy(string, s, sizeof(string)); + end = (char *)string + strlen(string); v = string; w = string; - for (i = 0; i < 3; i++) + + for (i = 0; i < 3 && (w <= end); i++) // ericw -- added (w <= end) check { + // set `v` to the next space (or 0 byte), and change that char to a 0 byte while (*v && *v != ' ') v++; *v = 0; ((float *)d)[i] = atof (w); w = v = v+1; } + + // ericw -- fill remaining elements to 0.0f in case we hit the end of string before reading 3 floats + if (i < 3) + { + if (developer.value) + Con_DWarning("vanilla will read garbage for \"%s\" \"%s\"\n", PR_GetString(key->s_name), s); + for (; i < 3; i++) + ((float *)d)[i] = 0.0f; + } break; case ev_entity: