From 3fa32e591051b62375875fbd1eeefd378fbed70c Mon Sep 17 00:00:00 2001
From: Jonathan Gray <jsg@jsg.id.au>
Date: Tue, 7 May 2013 19:36:35 +1000
Subject: [PATCH] Potential buffer overflow in UpdateTournamentInfo()

bugzilla #4753

from Eugene C. in ioquake3
svn 1801 git a4327ef965fa6b8f4103f71ea4a7ae00f1fd97bc

Bugzilla #4753
Potential buffer overflow in UpdateTournamentInfo()
---
 codemp/game/g_arenas.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/codemp/game/g_arenas.c b/codemp/game/g_arenas.c
index 8d9d187..d58ff00 100644
--- a/codemp/game/g_arenas.c
+++ b/codemp/game/g_arenas.c
@@ -22,7 +22,6 @@ void UpdateTournamentInfo( void ) {
 	gentity_t	*player;
 	int			playerClientNum;
 	int			n, accuracy, perfect,	msglen;
-	int			buflen;
 	int			score1, score2;
 	qboolean	won;
 	char		buf[32];
@@ -91,8 +90,8 @@ void UpdateTournamentInfo( void ) {
 	for( i = 0; i < level.numNonSpectatorClients; i++ ) {
 		n = level.sortedClients[i];
 		Com_sprintf( buf, sizeof(buf), " %i %i %i", n, level.clients[n].ps.persistant[PERS_RANK], level.clients[n].ps.persistant[PERS_SCORE] );
-		buflen = strlen( buf );
-		if( msglen + buflen + 1 >= sizeof(msg) ) {
+		msglen += strlen( buf );
+		if( msglen >= sizeof(msg) ) {
 			break;
 		}
 		strcat( msg, buf );
@@ -340,4 +339,4 @@ void Svcmd_AbortPodium_f( void ) {
 		podium1->think = CelebrateStop;
 	}
 }
-*/
\ No newline at end of file
+*/