From cc9072d098b24ed2f545e15537ea9345827984a2 Mon Sep 17 00:00:00 2001
From: Zack Middleton <zturtleman@gmail.com>
Date: Sat, 25 Jan 2014 21:14:32 -0600
Subject: [PATCH] Check for buffer overflow for rail/lightning surfaces

---
 code/renderergl1/tr_surface.c | 2 ++
 code/renderergl2/tr_surface.c | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/code/renderergl1/tr_surface.c b/code/renderergl1/tr_surface.c
index dca89c5e..1879fe2c 100644
--- a/code/renderergl1/tr_surface.c
+++ b/code/renderergl1/tr_surface.c
@@ -344,6 +344,8 @@ static void DoRailCore( const vec3_t start, const vec3_t end, const vec3_t up, f
 	int			vbase;
 	float		t = len / 256.0f;
 
+	RB_CHECKOVERFLOW( 4, 6 );
+
 	vbase = tess.numVertexes;
 
 	spanWidth2 = -spanWidth;
diff --git a/code/renderergl2/tr_surface.c b/code/renderergl2/tr_surface.c
index 72d2f8d6..825582bd 100644
--- a/code/renderergl2/tr_surface.c
+++ b/code/renderergl2/tr_surface.c
@@ -627,6 +627,8 @@ static void DoRailCore( const vec3_t start, const vec3_t end, const vec3_t up, f
 	int			vbase;
 	float		t = len / 256.0f;
 
+	RB_CHECKOVERFLOW( 4, 6 );
+
 	vbase = tess.numVertexes;
 
 	spanWidth2 = -spanWidth;