From f368e70f8984b3c307a212b3fa55e0f51d4e6b2d Mon Sep 17 00:00:00 2001
From: ZZYZX <zzyzx@virtual>
Date: Mon, 6 Feb 2017 14:22:13 +0200
Subject: [PATCH] Fixed overflows in String.Mid

---
 src/scripting/thingdef_data.cpp | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/scripting/thingdef_data.cpp b/src/scripting/thingdef_data.cpp
index 9b1b9aaba..8786a31bf 100644
--- a/src/scripting/thingdef_data.cpp
+++ b/src/scripting/thingdef_data.cpp
@@ -1141,13 +1141,16 @@ DEFINE_ACTION_FUNCTION(FStringStruct, AppendFormat)
 DEFINE_ACTION_FUNCTION(FStringStruct, Mid)
 {
 	PARAM_SELF_STRUCT_PROLOGUE(FString);
-	PARAM_INT(pos);
-	PARAM_INT(len);
+	PARAM_INT(ipos);
+	PARAM_INT(ilen);
 	// validate. we don't want to crash if someone passes negative values.
 	// with size_t it's handled naturally I think, as it's unsigned, but not in ZScript.
-	if (pos < 0) pos = 0;
-	if (len < 0) len = 0;
-	int slen = self->Len();
+	if (ipos < 0) ipos = 0;
+	if (ilen < 0) ilen = 0;
+	// convert to size_t to prevent overflows here
+	size_t slen = self->Len();
+	size_t pos = (size_t)ipos;
+	size_t len = (size_t)ilen;
 	if (pos > slen) pos = slen - 1;
 	if (pos + len > slen)
 		len = slen - pos;