From 10ae7e342ce5959d3708363032489a6734c7a973 Mon Sep 17 00:00:00 2001
From: helixhorned <helixhorned@1a8010ca-5511-0410-912e-c29ae57300e0>
Date: Sun, 9 Dec 2012 13:42:38 +0000
Subject: [PATCH] CON: proper bound checks for {re,}definequote commands.

git-svn-id: https://svn.eduke32.com/eduke32@3262 1a8010ca-5511-0410-912e-c29ae57300e0
---
 polymer/eduke32/source/gamedef.c | 27 ++++++++++++++++-----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/polymer/eduke32/source/gamedef.c b/polymer/eduke32/source/gamedef.c
index 506cdb6c4..4cc08c813 100644
--- a/polymer/eduke32/source/gamedef.c
+++ b/polymer/eduke32/source/gamedef.c
@@ -5313,15 +5313,17 @@ repeatcase:
                 initprintf("%s:%d: error: quote number exceeds limit of %d.\n",g_szScriptFileName,g_lineNumber,MAXQUOTES);
                 g_numCompilerErrors++;
             }
-
-            if (ScriptQuotes[k] == NULL)
-                ScriptQuotes[k] = (char *)Bcalloc(MAXQUOTELEN,sizeof(uint8_t));
-
-            if (!ScriptQuotes[k])
+            else
             {
-                ScriptQuotes[k] = NULL;
-                Bsprintf(tempbuf,"Failed allocating %" PRIdPTR " byte quote text buffer.",sizeof(uint8_t) * MAXQUOTELEN);
-                G_GameExit(tempbuf);
+                if (ScriptQuotes[k] == NULL)
+                    ScriptQuotes[k] = (char *)Bcalloc(MAXQUOTELEN,sizeof(uint8_t));
+
+                if (!ScriptQuotes[k])
+                {
+                    ScriptQuotes[k] = NULL;
+                    Bsprintf(tempbuf,"Failed allocating %" PRIdPTR " byte quote text buffer.",sizeof(uint8_t) * MAXQUOTELEN);
+                    G_GameExit(tempbuf);
+                }
             }
 
             if (tw == CON_DEFINEQUOTE)
@@ -5336,9 +5338,8 @@ repeatcase:
             {
                 if (ScriptQuoteRedefinitions[g_numQuoteRedefinitions] == NULL)
                     ScriptQuoteRedefinitions[g_numQuoteRedefinitions] = (char *)Bcalloc(MAXQUOTELEN,sizeof(uint8_t));
-                if (!ScriptQuoteRedefinitions[g_numQuoteRedefinitions])
+                if (ScriptQuoteRedefinitions[g_numQuoteRedefinitions] == NULL)
                 {
-                    ScriptQuoteRedefinitions[g_numQuoteRedefinitions] = NULL;
                     Bsprintf(tempbuf,"Failed allocating %" PRIdPTR " byte quote text buffer.",sizeof(uint8_t) * MAXQUOTELEN);
                     G_GameExit(tempbuf);
                 }
@@ -5368,8 +5369,12 @@ repeatcase:
                     break;
                 }
             }
+
             if (tw == CON_DEFINEQUOTE)
-                *(ScriptQuotes[k]+i) = '\0';
+            {
+                if ((unsigned)k < MAXQUOTES)
+                    *(ScriptQuotes[k]+i) = '\0';
+            }
             else
             {
                 *(ScriptQuoteRedefinitions[g_numQuoteRedefinitions]+i) = '\0';