From de4bea0e74075857f2b22ab657b98f827a1297df Mon Sep 17 00:00:00 2001 From: Ozkan Sezer Date: Fri, 24 Jun 2016 16:04:25 +0000 Subject: [PATCH] Loadgame_f() may go past sv.num_edicts, but it does not go through ED_Alloc(), therefore such ents will have uninitialized members. This used to lead to bad crashes with e.g. Rubicon Rumble Pack maps since svn r1286 when we began allocating sv.edicts using malloc and only zero-filling when necessary. So, check against sv.num_edicts and zero-fill the ent properly when necessary. git-svn-id: svn://svn.code.sf.net/p/quakespasm/code/trunk/quakespasm@1318 af15c1b1-3010-417e-b628-4374ebc0bcbd --- Quake/host_cmd.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/Quake/host_cmd.c b/Quake/host_cmd.c index b9ee3885..acd79604 100644 --- a/Quake/host_cmd.c +++ b/Quake/host_cmd.c @@ -1225,9 +1225,16 @@ void Host_Loadgame_f (void) } else { // parse an edict - ent = EDICT_NUM(entnum); - memset (&ent->v, 0, progs->entityfields * 4); + if (entnum < sv.num_edicts) { + memset (&ent->v, 0, progs->entityfields * 4); + } + else if (entnum < sv.max_edicts) { + memset (ent, 0, pr_edict_size); + } + else { + Host_Error ("Loadgame: no free edicts (max_edicts is %i)", sv.max_edicts); + } ent->free = false; ED_ParseEdict (start, ent);