From 388a72a89b9ea3fd6e4d3c3b2c7d14e1b7384975 Mon Sep 17 00:00:00 2001
From: James R <justsomejames2@gmail.com>
Date: Sun, 11 Feb 2024 05:35:42 -0800
Subject: [PATCH] Got_Saycmd: copy message content into intermediate buffer

This prevents modifying the original buffer at the cleanup
step as well as potentially writing out of bounds.
---
 src/hu_stuff.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/hu_stuff.c b/src/hu_stuff.c
index e223d3208..180d31704 100644
--- a/src/hu_stuff.c
+++ b/src/hu_stuff.c
@@ -641,6 +641,7 @@ static void Got_Saycmd(UINT8 **p, INT32 playernum)
 	SINT8 target;
 	UINT8 flags;
 	const char *dispname;
+	char buf[HU_MAXMSGLEN + 1];
 	char *msg;
 	boolean action = false;
 	char *ptr;
@@ -650,8 +651,8 @@ static void Got_Saycmd(UINT8 **p, INT32 playernum)
 
 	target = READSINT8(*p);
 	flags = READUINT8(*p);
-	msg = (char *)*p;
-	SKIPSTRINGL(*p, HU_MAXMSGLEN + 1);
+	msg = buf;
+	READSTRINGL(*p, msg, HU_MAXMSGLEN + 1);
 
 	if ((cv_mute.value || flags & (HU_CSAY|HU_SERVER_SAY)) && playernum != serverplayer && !(IsPlayerAdmin(playernum)))
 	{