From 15b5f1f0c172107041f780b72457e837a67ae0ca Mon Sep 17 00:00:00 2001
From: Jonathan Gray <jsg@jsg.id.au>
Date: Tue, 7 May 2013 18:37:38 +1000
Subject: [PATCH] invalid msg field count buffer overflow

bugzilla #4669

from Eugene C. in ioquake3
svn 1788 git 3ff266637578b9727ddee84e966214dd5dc51f04

Fix buffer overflow, report and patch by Eugene C. (#4669)
---
 codemp/qcommon/msg.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/codemp/qcommon/msg.cpp b/codemp/qcommon/msg.cpp
index 8980897..524ebbe 100644
--- a/codemp/qcommon/msg.cpp
+++ b/codemp/qcommon/msg.cpp
@@ -1261,6 +1261,10 @@ void MSG_ReadDeltaEntity( msg_t *msg, entityState_t *from, entityState_t *to,
 	numFields = sizeof(entityStateFields)/sizeof(entityStateFields[0]);
 	lc = MSG_ReadByte(msg);
 
+	if ( lc > numFields || lc < 0 ) {
+		Com_Error( ERR_DROP, "invalid entityState field count" );
+	}
+
 	// shownet 2/3 will interleave with other printed info, -1 will
 	// just print the delta records`
 	if ( cl_shownet->integer >= 2 || cl_shownet->integer == -1 ) {
@@ -2515,6 +2519,10 @@ void MSG_ReadDeltaPlayerstate (msg_t *msg, playerState_t *from, playerState_t *t
 
 	lc = MSG_ReadByte(msg);
 
+	if ( lc > numFields || lc < 0 ) {
+		Com_Error( ERR_DROP, "invalid playerState field count" );
+	}
+
 #ifdef _DONETPROFILE_
 	int startBytes,endBytes;
 #endif