From 76ea7385dd94aac435a858b05f87820e1cfadfd6 Mon Sep 17 00:00:00 2001
From: Alex Lo <alex@acslo.com>
Date: Fri, 1 Nov 2013 00:24:58 +0000
Subject: [PATCH] Fixed a number of out of bounds accesses.

Visual Studio's static code analyser found a number of out of bounds array
accesses. This commit fixes a number of them as well as a few other problems
the analyser brought up.

This also fixes #1 in the issue tracker.
---
 tools/quake3/q3map2/bspfile_abstract.c           | 9 +++++++--
 tools/quake3/q3map2/light_bounce.c               | 8 ++++----
 tools/quake3/q3map2/lightmaps_ydnar.c            | 5 +++++
 tools/quake3/q3map2/main.c                       | 2 +-
 tools/quake3/q3map2/q3map2.h                     | 2 +-
 tools/quake3/q3map2/shaders.c                    | 1 +
 tools/quake3/q3map2/surface_meta.c               | 3 ++-
 tools/urt/tools/quake3/q3map2/bspfile_abstract.c | 9 +++++++--
 tools/urt/tools/quake3/q3map2/light_bounce.c     | 8 ++++----
 tools/urt/tools/quake3/q3map2/main.c             | 2 +-
 tools/urt/tools/quake3/q3map2/q3map2.h           | 2 +-
 tools/urt/tools/quake3/q3map2/shaders.c          | 2 ++
 tools/urt/tools/quake3/q3map2/surface_meta.c     | 3 ++-
 13 files changed, 38 insertions(+), 18 deletions(-)

diff --git a/tools/quake3/q3map2/bspfile_abstract.c b/tools/quake3/q3map2/bspfile_abstract.c
index 587cd716..524d5cc3 100644
--- a/tools/quake3/q3map2/bspfile_abstract.c
+++ b/tools/quake3/q3map2/bspfile_abstract.c
@@ -68,6 +68,8 @@ void IncDrawVerts(){
 
 	}
 	else if ( numBSPDrawVerts > numBSPDrawVertsBuffer ) {
+		bspDrawVert_t *newBspDrawVerts;
+
 		numBSPDrawVertsBuffer *= 3; // multiply by 1.5
 		numBSPDrawVertsBuffer /= 2;
 
@@ -75,11 +77,14 @@ void IncDrawVerts(){
 			numBSPDrawVertsBuffer = MAX_MAP_DRAW_VERTS;
 		}
 
-		bspDrawVerts = realloc( bspDrawVerts, sizeof( bspDrawVert_t ) * numBSPDrawVertsBuffer );
+		newBspDrawVerts = realloc( bspDrawVerts, sizeof( bspDrawVert_t ) * numBSPDrawVertsBuffer );
 
-		if ( !bspDrawVerts ) {
+		if ( !newBspDrawVerts ) {
+			free (bspDrawVerts);
 			Error( "realloc() failed (IncDrawVerts)" );
 		}
+
+		bspDrawVerts = newBspDrawVerts;
 	}
 
 	memset( bspDrawVerts + ( numBSPDrawVerts - 1 ), 0, sizeof( bspDrawVert_t ) );
diff --git a/tools/quake3/q3map2/light_bounce.c b/tools/quake3/q3map2/light_bounce.c
index 18249457..bc6fb91e 100644
--- a/tools/quake3/q3map2/light_bounce.c
+++ b/tools/quake3/q3map2/light_bounce.c
@@ -185,10 +185,10 @@ static void RadClipWindingEpsilon( radWinding_t *in, vec3_t normal, vec_t dist,
 	}
 
 	/* error check */
-	if ( front->numVerts > maxPoints || front->numVerts > maxPoints ) {
+	if ( front->numVerts > maxPoints ) {
 		Error( "RadClipWindingEpsilon: points exceeded estimate" );
 	}
-	if ( front->numVerts > MAX_POINTS_ON_WINDING || front->numVerts > MAX_POINTS_ON_WINDING ) {
+	if ( front->numVerts > MAX_POINTS_ON_WINDING ) {
 		Error( "RadClipWindingEpsilon: MAX_POINTS_ON_WINDING" );
 	}
 }
@@ -279,7 +279,7 @@ static void RadSample( int lightmapNum, bspDrawSurface_t *ds, rawLightmap_t *lm,
 			/* multiply by texture color */
 			if ( !RadSampleImage( si->lightImage->pixels, si->lightImage->width, si->lightImage->height, rw->verts[ samples ].st, textureColor ) ) {
 				VectorCopy( si->averageColor, textureColor );
-				textureColor[ 4 ] = 255.0f;
+				textureColor[ 3 ] = 255.0f;
 			}
 			for ( i = 0; i < 3; i++ )
 				color[ i ] = ( textureColor[ i ] / 255 ) * ( rw->verts[ samples ].color[ lightmapNum ][ i ] / 255.0f );
@@ -363,7 +363,7 @@ static void RadSample( int lightmapNum, bspDrawSurface_t *ds, rawLightmap_t *lm,
 						/* multiply by texture color */
 						if ( !RadSampleImage( si->lightImage->pixels, si->lightImage->width, si->lightImage->height, st, textureColor ) ) {
 							VectorCopy( si->averageColor, textureColor );
-							textureColor[ 4 ] = 255;
+							textureColor[ 3 ] = 255;
 						}
 						for ( i = 0; i < 3; i++ )
 							color[ i ] = ( textureColor[ i ] / 255 ) * ( radLuxel[ i ] / 255 );
diff --git a/tools/quake3/q3map2/lightmaps_ydnar.c b/tools/quake3/q3map2/lightmaps_ydnar.c
index b0329349..9f8d6bec 100644
--- a/tools/quake3/q3map2/lightmaps_ydnar.c
+++ b/tools/quake3/q3map2/lightmaps_ydnar.c
@@ -2104,6 +2104,11 @@ static void FindOutLightmaps( rawLightmap_t *lm ){
 			/* allocate two new output lightmaps */
 			numOutLightmaps += 2;
 			olm = safe_malloc( numOutLightmaps * sizeof( outLightmap_t ) );
+			if ( !olm )
+			{
+				Error( "FindOutLightmaps: Failed to allocate memory.\n" );
+			}
+
 			if ( outLightmaps != NULL && numOutLightmaps > 2 ) {
 				memcpy( olm, outLightmaps, ( numOutLightmaps - 2 ) * sizeof( outLightmap_t ) );
 				free( outLightmaps );
diff --git a/tools/quake3/q3map2/main.c b/tools/quake3/q3map2/main.c
index 07125356..206af096 100644
--- a/tools/quake3/q3map2/main.c
+++ b/tools/quake3/q3map2/main.c
@@ -279,7 +279,7 @@ int AnalyzeBSP( int argc, char **argv ){
 		lumpInt = LittleLong( (int) *( (int*) lump ) );
 		lumpFloat = LittleFloat( (float) *( (float*) lump ) );
 		memcpy( lumpString, (char*) lump, ( length < 1024 ? length : 1024 ) );
-		lumpString[ 1024 ] = '\0';
+		lumpString[ 1023 ] = '\0';
 
 		/* print basic lump info */
 		Sys_Printf( "Lump:          %d\n", i );
diff --git a/tools/quake3/q3map2/q3map2.h b/tools/quake3/q3map2/q3map2.h
index 936905d7..0da3f836 100644
--- a/tools/quake3/q3map2/q3map2.h
+++ b/tools/quake3/q3map2/q3map2.h
@@ -763,7 +763,7 @@ typedef struct shaderInfo_s
 	sun_t               *sun;                           /* ydnar */
 
 	vec3_t color;                                       /* normalized color */
-	vec3_t averageColor;
+	vec4_t averageColor;
 	byte lightStyle;
 
 	qb_t lmMergable;                                    /* ydnar */
diff --git a/tools/quake3/q3map2/shaders.c b/tools/quake3/q3map2/shaders.c
index cc58f64b..f747a27d 100644
--- a/tools/quake3/q3map2/shaders.c
+++ b/tools/quake3/q3map2/shaders.c
@@ -791,6 +791,7 @@ static void LoadShaderImages( shaderInfo_t *si ){
 		ColorNormalize( color, si->color );
 	}
 	VectorScale( color, ( 1.0f / count ), si->averageColor );
+	si->averageColor[ 3 ] = color[ 3 ] / count;
 }
 
 
diff --git a/tools/quake3/q3map2/surface_meta.c b/tools/quake3/q3map2/surface_meta.c
index 77ed7360..d4a5018c 100644
--- a/tools/quake3/q3map2/surface_meta.c
+++ b/tools/quake3/q3map2/surface_meta.c
@@ -740,7 +740,8 @@ static qboolean PointTriangleIntersect( vec3_t pt, vec4_t plane, vec3_t a, vec3_
 
 typedef struct edge_s
 {
-	vec3_t origin, edge;
+	vec3_t origin;
+	vec4_t edge;
 	vec_t length, kingpinLength;
 	int kingpin;
 	vec4_t plane;
diff --git a/tools/urt/tools/quake3/q3map2/bspfile_abstract.c b/tools/urt/tools/quake3/q3map2/bspfile_abstract.c
index 8a6cc6ea..116f3d33 100644
--- a/tools/urt/tools/quake3/q3map2/bspfile_abstract.c
+++ b/tools/urt/tools/quake3/q3map2/bspfile_abstract.c
@@ -68,6 +68,8 @@ void IncDrawVerts(){
 
 	}
 	else if ( numBSPDrawVerts > numBSPDrawVertsBuffer ) {
+		bspDrawVert_t *newBspDrawVerts;
+
 		numBSPDrawVertsBuffer *= 3; // multiply by 1.5
 		numBSPDrawVertsBuffer /= 2;
 
@@ -75,11 +77,14 @@ void IncDrawVerts(){
 			numBSPDrawVertsBuffer = MAX_MAP_DRAW_VERTS;
 		}
 
-		bspDrawVerts = realloc( bspDrawVerts, sizeof( bspDrawVert_t ) * numBSPDrawVertsBuffer );
+		newBspDrawVerts = realloc( bspDrawVerts, sizeof( bspDrawVert_t ) * numBSPDrawVertsBuffer );
 
-		if ( !bspDrawVerts ) {
+		if ( !newBspDrawVerts ) {
+			free (bspDrawVerts);
 			Error( "realloc() failed (IncDrawVerts)" );
 		}
+
+		bspDrawVerts = newBspDrawVerts;
 	}
 
 	memset( bspDrawVerts + ( numBSPDrawVerts - 1 ), 0, sizeof( bspDrawVert_t ) );
diff --git a/tools/urt/tools/quake3/q3map2/light_bounce.c b/tools/urt/tools/quake3/q3map2/light_bounce.c
index 686518b1..97ef4781 100644
--- a/tools/urt/tools/quake3/q3map2/light_bounce.c
+++ b/tools/urt/tools/quake3/q3map2/light_bounce.c
@@ -185,10 +185,10 @@ static void RadClipWindingEpsilon( radWinding_t *in, vec3_t normal, vec_t dist,
 	}
 
 	/* error check */
-	if ( front->numVerts > maxPoints || front->numVerts > maxPoints ) {
+	if ( front->numVerts > maxPoints ) {
 		Error( "RadClipWindingEpsilon: points exceeded estimate" );
 	}
-	if ( front->numVerts > MAX_POINTS_ON_WINDING || front->numVerts > MAX_POINTS_ON_WINDING ) {
+	if ( front->numVerts > MAX_POINTS_ON_WINDING ) {
 		Error( "RadClipWindingEpsilon: MAX_POINTS_ON_WINDING" );
 	}
 }
@@ -279,7 +279,7 @@ static void RadSample( int lightmapNum, bspDrawSurface_t *ds, rawLightmap_t *lm,
 			/* multiply by texture color */
 			if ( !RadSampleImage( si->lightImage->pixels, si->lightImage->width, si->lightImage->height, rw->verts[ samples ].st, textureColor ) ) {
 				VectorCopy( si->averageColor, textureColor );
-				textureColor[ 4 ] = 255.0f;
+				textureColor[ 3 ] = 255.0f;
 			}
 			for ( i = 0; i < 3; i++ )
 				color[ i ] = ( textureColor[ i ] / 255 ) * ( rw->verts[ samples ].color[ lightmapNum ][ i ] / 255.0f );
@@ -363,7 +363,7 @@ static void RadSample( int lightmapNum, bspDrawSurface_t *ds, rawLightmap_t *lm,
 						/* multiply by texture color */
 						if ( !RadSampleImage( si->lightImage->pixels, si->lightImage->width, si->lightImage->height, st, textureColor ) ) {
 							VectorCopy( si->averageColor, textureColor );
-							textureColor[ 4 ] = 255;
+							textureColor[ 3 ] = 255;
 						}
 						for ( i = 0; i < 3; i++ )
 							color[ i ] = ( textureColor[ i ] / 255 ) * ( radLuxel[ i ] / 255 );
diff --git a/tools/urt/tools/quake3/q3map2/main.c b/tools/urt/tools/quake3/q3map2/main.c
index 2e9921b9..4000bd38 100644
--- a/tools/urt/tools/quake3/q3map2/main.c
+++ b/tools/urt/tools/quake3/q3map2/main.c
@@ -169,7 +169,7 @@ int AnalyzeBSP( int argc, char **argv ){
 		lumpInt = LittleLong( (int) *( (int*) lump ) );
 		lumpFloat = LittleFloat( (float) *( (float*) lump ) );
 		memcpy( lumpString, (char*) lump, ( length < 1024 ? length : 1024 ) );
-		lumpString[ 1024 ] = '\0';
+		lumpString[ 1023 ] = '\0';
 
 		/* print basic lump info */
 		Sys_Printf( "Lump:          %d\n", i );
diff --git a/tools/urt/tools/quake3/q3map2/q3map2.h b/tools/urt/tools/quake3/q3map2/q3map2.h
index fe21bd92..8935ef2e 100644
--- a/tools/urt/tools/quake3/q3map2/q3map2.h
+++ b/tools/urt/tools/quake3/q3map2/q3map2.h
@@ -743,7 +743,7 @@ typedef struct shaderInfo_s
 	int sun_done;
 
 	vec3_t color;                                       /* normalized color */
-	vec3_t averageColor;
+	vec4_t averageColor;
 	byte lightStyle;
 
 	qb_t lmMergable;                                    /* ydnar */
diff --git a/tools/urt/tools/quake3/q3map2/shaders.c b/tools/urt/tools/quake3/q3map2/shaders.c
index 9df04b84..863a59ef 100644
--- a/tools/urt/tools/quake3/q3map2/shaders.c
+++ b/tools/urt/tools/quake3/q3map2/shaders.c
@@ -789,10 +789,12 @@ static void LoadShaderImages( shaderInfo_t *si ){
 	if ( VectorLength( si->color ) <= 0.0f ) {
 		ColorNormalize( color, si->color );
 		VectorScale( color, ( 1.0f / count ), si->averageColor );
+		si->averageColor[ 3 ] = color[ 3 ] / count;
 	}
 	else
 	{
 		VectorCopy( si->color, si->averageColor );
+		si->averageColor[ 3 ] = 1.0f;
 	}
 }
 
diff --git a/tools/urt/tools/quake3/q3map2/surface_meta.c b/tools/urt/tools/quake3/q3map2/surface_meta.c
index a2d4747f..21a65146 100644
--- a/tools/urt/tools/quake3/q3map2/surface_meta.c
+++ b/tools/urt/tools/quake3/q3map2/surface_meta.c
@@ -743,7 +743,8 @@ static qboolean PointTriangleIntersect( vec3_t pt, vec4_t plane, vec3_t a, vec3_
 
 typedef struct edge_s
 {
-	vec3_t origin, edge;
+	vec3_t origin;
+	vec4_t edge;
 	vec_t length, kingpinLength;
 	int kingpin;
 	vec4_t plane;