From b9834f98325477eebedf7e9b1c1a1656b7f148b3 Mon Sep 17 00:00:00 2001 From: helixhorned Date: Tue, 10 Feb 2015 19:51:15 +0000 Subject: [PATCH] mdsprite.c: in md3load(), allocate m->head.surfs with Xcalloc, amending r4952. And preventing enormous corruption due to a free() called on a garbage (malloc'd) pointer values this time. DO_BUILD_VERY_FAST_PLEASE! git-svn-id: https://svn.eduke32.com/eduke32@4980 1a8010ca-5511-0410-912e-c29ae57300e0 --- polymer/eduke32/build/src/mdsprite.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/polymer/eduke32/build/src/mdsprite.c b/polymer/eduke32/build/src/mdsprite.c index 378798a4f..6627d936f 100644 --- a/polymer/eduke32/build/src/mdsprite.c +++ b/polymer/eduke32/build/src/mdsprite.c @@ -1414,9 +1414,12 @@ static md3model_t *md3load(int32_t fil) kread(fil,m->head.tags,i); } - klseek(fil,m->head.ofssurfs,SEEK_SET); i = m->head.numsurfs*sizeof(md3surf_t); - m->head.surfs = (md3surf_t *)Xmalloc(i); - m->head.surfs[0].geometry = NULL; // for POLYMER_MD_PROCESS_CHECK (else: crashes) + klseek(fil,m->head.ofssurfs,SEEK_SET); + m->head.surfs = (md3surf_t *)Xcalloc(m->head.numsurfs, sizeof(md3surf_t)); + // NOTE: We assume that NULL is represented by all-zeros. + // surfs[0].geometry is for POLYMER_MD_PROCESS_CHECK (else: crashes). + // surfs[i].geometry is for FREE_SURFS_GEOMETRY. + Bassert(m->head.surfs[0].geometry == NULL); #if B_BIG_ENDIAN != 0 { @@ -2413,7 +2416,7 @@ static void md3free(md3model_t *m) { md3surf_t *s = &m->head.surfs[surfi]; Bfree(s->tris); - Bfree(s->geometry); + Bfree(s->geometry); // FREE_SURFS_GEOMETRY } Bfree(m->head.surfs); }