[gamecode] Plug a nasty buffer overflow

This one is ancient: the code was essentially unmodified since release
(just some formatting). Malformed vectors could sneak through due to map
bugs (eg, "angles -90" instead of "angle -90" as in ad_tears) and the
vector parsing code would continue past the end of the string and
writing into unowned memory, potentially messing up the libc allocation
records. Replacing with the obvious sscanf works nicely.

Sometimes, Quake code is brilliant. Other times, it's a real face-palm.

libs/gamecode/pr_parse.c

@@ -215,10 +215,7 @@ ED_NewString (progs_t *pr, const char *string)
 VISIBLE qboolean
 ED_ParseEpair (progs_t *pr, pr_type_t *base, pr_def_t *key, const char *s)
 {
-	int			i;
-	char		*string;
 	pr_def_t    *def;
-	char		*v, *w;
 	pr_type_t	*d;
 	dfunction_t	*func;
 
@@ -234,17 +231,18 @@ ED_ParseEpair (progs_t *pr, pr_type_t *base, pr_def_t *key, const char *s)
 			break;
 
 		case ev_vector:
-			string = strdup (s);
+			vec3_t      vec = {};
-			v = string;
+			char       *str = alloca (strlen (s) + 1);
-			w = string;
+			strcpy (str, s);
-			for (i = 0; i < 3; i++) {
+			for (char *v = str; *v; v++) {
-				while (*v && *v != ' ')
+				if (*v == ',') {
-					v++;
+					*v = ' ';
-				*v = 0;
+				}
-				(&PR_PTR (float, d))[i] = atof (w);
-				w = v = v + 1;
 			}
-			free (string);
+			if (sscanf (s, "%f %f %f", VectorExpandAddr (vec)) != 3) {
+				Sys_Printf ("Malformed vector %s\n", s);
+			}
+			VectorCopy (vec, PR_PTR (vector, d));
 			break;
 
 		case ev_entity: