From 232e4793807844c3b74694b39bd969d83a021f60 Mon Sep 17 00:00:00 2001
From: helixhorned <helixhorned@1a8010ca-5511-0410-912e-c29ae57300e0>
Date: Thu, 6 Nov 2014 23:43:49 +0000
Subject: [PATCH] Fix oob write with stepping 'up' in the OSD history.

git-svn-id: https://svn.eduke32.com/eduke32@4725 1a8010ca-5511-0410-912e-c29ae57300e0
---
 polymer/eduke32/build/include/osd.h | 6 ++++++
 polymer/eduke32/build/src/config.c  | 3 +--
 polymer/eduke32/build/src/osd.c     | 2 +-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/polymer/eduke32/build/include/osd.h b/polymer/eduke32/build/include/osd.h
index 78793201e..6493c24d4 100644
--- a/polymer/eduke32/build/include/osd.h
+++ b/polymer/eduke32/build/include/osd.h
@@ -274,6 +274,12 @@ int32_t OSD_RegisterCvar(const cvar_t *cvar);
 void OSD_WriteAliases(FILE *fp);
 void OSD_WriteCvars(FILE *fp);
 
+static inline void OSD_SetHistory(int32_t histIdx, const char *src)
+{
+    osd->history.buf[histIdx] = Xmalloc(OSDEDITLENGTH);
+    Bstrncpyz(osd->history.buf[histIdx], src, OSDEDITLENGTH);
+}
+
 // these correspond to the Duke palettes, so they shouldn't really be here
 // ...but I don't care
 
diff --git a/polymer/eduke32/build/src/config.c b/polymer/eduke32/build/src/config.c
index 852790bae..afa398a3c 100644
--- a/polymer/eduke32/build/src/config.c
+++ b/polymer/eduke32/build/src/config.c
@@ -262,9 +262,8 @@ int32_t loadsetup(const char *fn)
     // copy script history into OSD history
     for (i=0; i<min(scripthistend, osd->history.maxlines); i++)
     {
-//        Bstrncpyz(osd->history.buf[i], scripthist[scripthistend-1-i], OSDEDITLENGTH+1);
         DO_FREE_AND_NULL(osd->history.buf[i]);
-        osd->history.buf[i] = Bstrdup(scripthist[scripthistend-1-i]);
+        OSD_SetHistory(i, scripthist[scripthistend-1-i]);
 
         osd->history.lines++;
         osd->history.total++;
diff --git a/polymer/eduke32/build/src/osd.c b/polymer/eduke32/build/src/osd.c
index 4cfe65d1c..193c59f8b 100644
--- a/polymer/eduke32/build/src/osd.c
+++ b/polymer/eduke32/build/src/osd.c
@@ -1127,7 +1127,7 @@ int32_t OSD_HandleChar(char ch)
 
                 Bmemmove(&osd->history.buf[1], &osd->history.buf[0], sizeof(intptr_t) * osd->history.maxlines-1);
 
-                osd->history.buf[0] = Bstrdup(osd->editor.buf);
+                OSD_SetHistory(0, osd->editor.buf);
 
                 if (osd->history.lines < osd->history.maxlines)
                     osd->history.lines++;