From 88b33141e9e1ef1af7a41904025b7d9835dd9251 Mon Sep 17 00:00:00 2001
From: havoc <havoc@d7cf8633-e32d-0410-b094-e92efae38249>
Date: Tue, 7 Jan 2020 10:25:49 +0000
Subject: [PATCH] Fix PRVM_ValueString and PRVM_UglyValueString to check for
 out of bounds dereference on a value provided by VM code, and also a NULL
 pointer check for another field type.

git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@12484 d7cf8633-e32d-0410-b094-e92efae38249
---
 prvm_edict.c | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/prvm_edict.c b/prvm_edict.c
index 8633fdfe..aece0e2f 100644
--- a/prvm_edict.c
+++ b/prvm_edict.c
@@ -439,12 +439,20 @@ static char *PRVM_ValueString (prvm_prog_t *prog, etype_t type, prvm_eval_t *val
 			dpsnprintf (line, linelength, "entity %i", n);
 		break;
 	case ev_function:
-		f = prog->functions + val->function;
-		dpsnprintf (line, linelength, "%s()", PRVM_GetString(prog, f->s_name));
+		if ((unsigned int)val->function < prog->progs_numfunctions)
+		{
+			f = prog->functions + val->function;
+			dpsnprintf (line, linelength, "%s()", PRVM_GetString(prog, f->s_name));
+		}
+		else
+			dpsnprintf (line, linelength, "function%i() (invalid!)", val->function);
 		break;
 	case ev_field:
 		def = PRVM_ED_FieldAtOfs ( prog, val->_int );
-		dpsnprintf (line, linelength, ".%s", PRVM_GetString(prog, def->s_name));
+		if (def != NULL)
+			dpsnprintf (line, linelength, ".%s", PRVM_GetString(prog, def->s_name));
+		else
+			dpsnprintf (line, linelength, "field%i (invalid!)", val->_int );
 		break;
 	case ev_void:
 		dpsnprintf (line, linelength, "void");
@@ -525,12 +533,20 @@ char *PRVM_UglyValueString (prvm_prog_t *prog, etype_t type, prvm_eval_t *val, c
 		dpsnprintf (line, linelength, "%i", i);
 		break;
 	case ev_function:
-		f = prog->functions + val->function;
-		strlcpy (line, PRVM_GetString (prog, f->s_name), linelength);
+		if ((unsigned int)val->function < prog->progs_numfunctions)
+		{
+			f = prog->functions + val->function;
+			strlcpy (line, PRVM_GetString (prog, f->s_name), linelength);
+		}
+		else
+			dpsnprintf (line, linelength, "bad function %i (invalid!)", val->function);
 		break;
 	case ev_field:
 		def = PRVM_ED_FieldAtOfs ( prog, val->_int );
-		dpsnprintf (line, linelength, ".%s", PRVM_GetString(prog, def->s_name));
+		if (def != NULL)
+			dpsnprintf (line, linelength, ".%s", PRVM_GetString(prog, def->s_name));
+		else
+			dpsnprintf (line, linelength, "field%i (invalid!)", val->_int );
 		break;
 	case ev_void:
 		dpsnprintf (line, linelength, "void");
-- 
2.39.2