From 5e053fe270d11776b88e15270e6cfd65c2d69ab0 Mon Sep 17 00:00:00 2001
From: Bill Currie <bill@taniwha.org>
Date: Thu, 5 Dec 2024 00:22:38 +0900
Subject: [PATCH] [qfcc] Fix an overflow for matrix values

ex_value_t keeps getting bigger :P
---
 tools/qfcc/include/expr.h | 1 +
 tools/qfcc/source/value.c | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/tools/qfcc/include/expr.h b/tools/qfcc/include/expr.h
index b5c918df4..59ab9236e 100644
--- a/tools/qfcc/include/expr.h
+++ b/tools/qfcc/include/expr.h
@@ -225,6 +225,7 @@ typedef struct ex_value_s {
 	bool        is_constexpr;
 	union {
 		pr_type_t   raw_value;			///< for memcpy
+		pr_dvec4_t  raw_matrix[4];		///< so ex_vector_t is big enough
 		const char *string_val;			///< string constant
 		double      double_val;			///< double constant
 		int64_t     long_val;			///< signed 64-bit constant
diff --git a/tools/qfcc/source/value.c b/tools/qfcc/source/value.c
index 10fdf9a5a..d22dc72cc 100644
--- a/tools/qfcc/source/value.c
+++ b/tools/qfcc/source/value.c
@@ -303,6 +303,9 @@ new_type_value (const type_t *type, const pr_type_t *data)
 {
 	size_t      typeSize = type_size (type) * sizeof (pr_type_t);
 	ex_value_t  val = {};
+	if (typeSize > sizeof (val) - field_offset (ex_value_t, raw_value)) {
+		internal_error (0, "value too large");
+	}
 	set_val_type (&val, type);
 	memcpy (&val.raw_value, data, typeSize);
 	return find_value (&val);