]> git.rm.cloudns.org Git - xonotic/darkplaces.git/commitdiff
PRVM: fix incorrect tempstring length in VM_tokenizebyseparator()
authorbones_was_here <bones_was_here@xonotic.au>
Tue, 23 Jul 2024 15:35:18 +0000 (01:35 +1000)
committerbones_was_here <bones_was_here@xonotic.au>
Tue, 23 Jul 2024 15:38:27 +0000 (01:38 +1000)
This caused memcpy() in PRVM_SetTempString() to copy too many bytes,
when the source string had the maximum length it could read past the end
and trigger a segfault.
Bug was introduced in 26a665ff43052862131df3c63785f91861989fc8 and looks
to be specific to that builtin.

Signed-off-by: bones_was_here <bones_was_here@xonotic.au>
prvm_cmds.c

index 3eb341544ebb6569466854c3d3ca2bc07c58e12a..03eb39a8f3f48a427fce9185ffbb29fd72aed94b 100644 (file)
@@ -2790,8 +2790,8 @@ void VM_tokenizebyseparator (prvm_prog_t *prog)
                tokens_endpos[num_tokens] = p0 - tokenize_string;
                if (j >= (int)sizeof(tokentext))
                        break;
-               tokentext[j++] = '\0';
-               tokens[num_tokens++] = PRVM_SetTempString(prog, token, j - 1);
+               tokentext[j] = '\0';
+               tokens[num_tokens++] = PRVM_SetTempString(prog, token, j++ - (token - tokentext));
                if (!*p)
                        break;
        }