From a88ef2068029d91cb43a659394e23a27042b5e7d Mon Sep 17 00:00:00 2001
From: Timothee Besset <ttimo@ttimo.net>
Date: Sun, 24 Apr 2016 15:02:50 -0500
Subject: [PATCH] fix short alloc and heap corruption for winding_accu_t and
 brush_t - brought about by https://github.com/TTimo/bspc/pull/4

---
 tools/quake3/common/polylib.c | 2 +-
 tools/quake3/q3map2/brush.c   | 7 +------
 2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/tools/quake3/common/polylib.c b/tools/quake3/common/polylib.c
index 10117781..ed4f8741 100644
--- a/tools/quake3/common/polylib.c
+++ b/tools/quake3/common/polylib.c
@@ -94,7 +94,7 @@ winding_accu_t *AllocWindingAccu( int points ){
 			c_peak_windings = c_active_windings;
 		}
 	}
-	s = sizeof( vec_accu_t ) * 3 * points + sizeof( int );
+	s = sizeof(*w) + (points > 4 ? sizeof(vec3_accu_t) * (points - 4) : 0);
 	w = safe_malloc( s );
 	memset( w, 0, s );
 	return w;
diff --git a/tools/quake3/q3map2/brush.c b/tools/quake3/q3map2/brush.c
index 8a9dcdca..0d7eb221 100644
--- a/tools/quake3/q3map2/brush.c
+++ b/tools/quake3/q3map2/brush.c
@@ -93,12 +93,7 @@ brush_t *AllocBrush( int numSides ){
 	brush_t     *bb;
 	size_t c;
 
-
-	/* allocate and clear */
-	if ( numSides <= 0 ) {
-		Error( "AllocBrush called with numsides = %d", numSides );
-	}
-	c = (size_t)&( ( (brush_t*) 0 )->sides[ numSides ] );
+	c = sizeof(*bb) + (numSides > 6 ? sizeof(side_t)*(numSides - 6) : 0);
 	bb = safe_malloc( c );
 	memset( bb, 0, c );
 	if ( numthreads == 1 ) {