From d06c0ed7732f2193e32bc70b1f0fce1739f128a6 Mon Sep 17 00:00:00 2001
From: sezero <sezero@af15c1b1-3010-417e-b628-4374ebc0bcbd>
Date: Thu, 27 Sep 2012 09:55:41 +0000
Subject: [PATCH] console.c (Con_TabComplete): eliminated string buffer
 overflow issues.

git-svn-id: http://svn.code.sf.net/p/quakespasm/code/trunk/quakespasm@735 af15c1b1-3010-417e-b628-4374ebc0bcbd
---
 Quake/console.c | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/Quake/console.c b/Quake/console.c
index 2ff8ebf8..4e7d4337 100644
--- a/Quake/console.c
+++ b/Quake/console.c
@@ -950,11 +950,15 @@ void Con_TabComplete (void)
 		const char *matched_map = BuildMapList(partial);
 		if (!*matched_map)
 			return;
-		Q_strcpy (partial, matched_map);
-		Q_strcpy (c, partial);
+		q_strlcpy (partial, matched_map, MAXCMDLINE);
+		*c = '\0';
+		q_strlcat (key_lines[edit_line], partial, MAXCMDLINE);
 		key_linepos = c - key_lines[edit_line] + Q_strlen(matched_map); //set new cursor position
+		if (key_linepos >= MAXCMDLINE)
+			key_linepos = MAXCMDLINE - 1;
 		// if only one match, append a space
-		if ((key_lines[edit_line][key_linepos] == 0) && map_singlematch)
+		if (key_linepos < MAXCMDLINE - 1 &&
+		    key_lines[edit_line][key_linepos] == 0 && map_singlematch)
 		{
 			key_lines[edit_line][key_linepos] = ' ';
 			key_linepos++;
@@ -976,7 +980,7 @@ void Con_TabComplete (void)
 	mark = Hunk_LowMark();
 	if (!key_tabpartial[0]) //first time through
 	{
-		Q_strcpy (key_tabpartial, partial);
+		q_strlcpy (key_tabpartial, partial, MAXCMDLINE);
 		BuildTabList (key_tabpartial);
 
 		if (!tablist)
@@ -1021,13 +1025,17 @@ void Con_TabComplete (void)
 	Hunk_FreeToLowMark(mark); //it's okay to free it here because match is a pointer to persistent data
 
 // insert new match into edit line
-	Q_strcpy (partial, match); //first copy match string
-	Q_strcat (partial, key_lines[edit_line] + key_linepos); //then add chars after cursor
-	Q_strcpy (c, partial); //now copy all of this into edit line
+	q_strlcpy (partial, match, MAXCMDLINE); //first copy match string
+	q_strlcat (partial, key_lines[edit_line] + key_linepos, MAXCMDLINE); //then add chars after cursor
+	*c = '\0';	//now copy all of this into edit line
+	q_strlcat (key_lines[edit_line], partial, MAXCMDLINE);
 	key_linepos = c - key_lines[edit_line] + Q_strlen(match); //set new cursor position
+	if (key_linepos >= MAXCMDLINE)
+		key_linepos = MAXCMDLINE - 1;
 
 // if cursor is at end of string, let's append a space to make life easier
-	if (key_lines[edit_line][key_linepos] == 0 && bash_singlematch)
+	if (key_linepos < MAXCMDLINE - 1 &&
+	    key_lines[edit_line][key_linepos] == 0 && bash_singlematch)
 	{
 		key_lines[edit_line][key_linepos] = ' ';
 		key_linepos++;