mdsprite.c: in md3load(), allocate m->head.surfs with Xcalloc, amending r4952.

And preventing enormous corruption due to a free() called on a garbage (malloc'd)
pointer values this time. DO_BUILD_VERY_FAST_PLEASE!

git-svn-id: https://svn.eduke32.com/eduke32@4980 1a8010ca-5511-0410-912e-c29ae57300e0
This commit is contained in:
helixhorned 2015-02-10 19:51:15 +00:00
parent 1abe65f3ce
commit b9834f9832

View file

@ -1414,9 +1414,12 @@ static md3model_t *md3load(int32_t fil)
kread(fil,m->head.tags,i);
}
klseek(fil,m->head.ofssurfs,SEEK_SET); i = m->head.numsurfs*sizeof(md3surf_t);
m->head.surfs = (md3surf_t *)Xmalloc(i);
m->head.surfs[0].geometry = NULL; // for POLYMER_MD_PROCESS_CHECK (else: crashes)
klseek(fil,m->head.ofssurfs,SEEK_SET);
m->head.surfs = (md3surf_t *)Xcalloc(m->head.numsurfs, sizeof(md3surf_t));
// NOTE: We assume that NULL is represented by all-zeros.
// surfs[0].geometry is for POLYMER_MD_PROCESS_CHECK (else: crashes).
// surfs[i].geometry is for FREE_SURFS_GEOMETRY.
Bassert(m->head.surfs[0].geometry == NULL);
#if B_BIG_ENDIAN != 0
{
@ -2413,7 +2416,7 @@ static void md3free(md3model_t *m)
{
md3surf_t *s = &m->head.surfs[surfi];
Bfree(s->tris);
Bfree(s->geometry);
Bfree(s->geometry); // FREE_SURFS_GEOMETRY
}
Bfree(m->head.surfs);
}