From 2a662255fac841f145dbdddad1f95a5136f8d950 Mon Sep 17 00:00:00 2001
From: havoc <havoc@d7cf8633-e32d-0410-b094-e92efae38249>
Date: Fri, 3 Dec 2004 05:03:12 +0000
Subject: [PATCH] don't let clients kill server with bogus cursor_entitynumber
 values

git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@4821 d7cf8633-e32d-0410-b094-e92efae38249
---
 sv_user.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/sv_user.c b/sv_user.c
index 63c54c69..b870bf59 100644
--- a/sv_user.c
+++ b/sv_user.c
@@ -688,7 +688,12 @@ void SV_ReadClientMove (usercmd_t *move)
 		move->cursor_impact[0] = MSG_ReadFloat();
 		move->cursor_impact[1] = MSG_ReadFloat();
 		move->cursor_impact[2] = MSG_ReadFloat();
-		move->cursor_entitynumber = MSG_ReadShort();
+		move->cursor_entitynumber = (unsigned short)MSG_ReadShort();
+		if (move->cursor_entitynumber >= sv.max_edicts)
+		{
+			Con_DPrintf("SV_ReadClientMessage: client send bad cursor_entitynumber\n");
+			move->cursor_entitynumber = 0;
+		}
 		// as requested by FrikaC, cursor_trace_ent is reset to world if the
 		// entity is free at time of receipt
 		if (EDICT_NUM(move->cursor_entitynumber)->e->free)
-- 
2.39.5