From: havoc <havoc@d7cf8633-e32d-0410-b094-e92efae38249>
Date: Fri, 3 Dec 2004 05:03:12 +0000 (+0000)
Subject: don't let clients kill server with bogus cursor_entitynumber values
X-Git-Tag: xonotic-v0.1.0preview~5317
X-Git-Url: https://git.rm.cloudns.org/?a=commitdiff_plain;h=2a662255fac841f145dbdddad1f95a5136f8d950;p=xonotic%2Fdarkplaces.git

don't let clients kill server with bogus cursor_entitynumber values


git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@4821 d7cf8633-e32d-0410-b094-e92efae38249
---

diff --git a/sv_user.c b/sv_user.c
index 63c54c69..b870bf59 100644
--- a/sv_user.c
+++ b/sv_user.c
@@ -688,7 +688,12 @@ void SV_ReadClientMove (usercmd_t *move)
 		move->cursor_impact[0] = MSG_ReadFloat();
 		move->cursor_impact[1] = MSG_ReadFloat();
 		move->cursor_impact[2] = MSG_ReadFloat();
-		move->cursor_entitynumber = MSG_ReadShort();
+		move->cursor_entitynumber = (unsigned short)MSG_ReadShort();
+		if (move->cursor_entitynumber >= sv.max_edicts)
+		{
+			Con_DPrintf("SV_ReadClientMessage: client send bad cursor_entitynumber\n");
+			move->cursor_entitynumber = 0;
+		}
 		// as requested by FrikaC, cursor_trace_ent is reset to world if the
 		// entity is free at time of receipt
 		if (EDICT_NUM(move->cursor_entitynumber)->e->free)