From dbd3cf7b49cd1d8345a34e6345228be994f938b4 Mon Sep 17 00:00:00 2001
From: divverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
Date: Sun, 21 Jun 2009 19:49:11 +0000
Subject: [PATCH] fix framegroups file parsing out of bounds errors

git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@9029 d7cf8633-e32d-0410-b094-e92efae38249
---
 model_shared.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/model_shared.c b/model_shared.c
index c0dea226..73326a22 100644
--- a/model_shared.c
+++ b/model_shared.c
@@ -256,12 +256,13 @@ void Mod_FrameGroupify_ParseGroups_Count (unsigned int i, int start, int len, fl
 
 void Mod_FrameGroupify_ParseGroups_Store (unsigned int i, int start, int len, float fps, qboolean loop, void *pass)
 {
-	animscene_t *anim = (animscene_t *) pass;
-	dpsnprintf(anim[i].name, sizeof(anim[i].name), "groupified_%d", i);
-	anim[i].firstframe = start;
-	anim[i].framecount = len;
-	anim[i].framerate = fps;
-	anim[i].loop = loop;
+	dp_model_t *mod = (dp_model_t *) pass;
+	animscene_t *anim = &mod->animscenes[i];
+	dpsnprintf(anim->name, sizeof(anim[i].name), "groupified_%d", i);
+	anim->firstframe = bound(0, start, mod->num_poses - 1);
+	anim->framecount = bound(1, len, mod->num_poses - anim->firstframe);
+	anim->framerate = max(1, fps);
+	anim->loop = !!loop;
 	//Con_Printf("frame group %d is %d %d %f %d\n", i, start, len, fps, loop);
 }
 
@@ -271,14 +272,20 @@ void Mod_FrameGroupify(dp_model_t *mod, const char *buf)
 
 	// 0. count
 	cnt = Mod_FrameGroupify_ParseGroups(buf, NULL, NULL);
+	if(!cnt)
+	{
+		Con_Printf("no scene found in framegroups file, aborting\n");
+		return;
+	}
+	mod->numframes = cnt;
 
 	// 1. reallocate
 	if(mod->animscenes)
 		Mem_Free(mod->animscenes);
-	mod->animscenes = (animscene_t *) Mem_Alloc(tempmempool, sizeof(animscene_t) * cnt);
+	mod->animscenes = (animscene_t *) Mem_Alloc(tempmempool, sizeof(animscene_t) * mod->numframes);
 
 	// 2. parse
-	Mod_FrameGroupify_ParseGroups(buf, Mod_FrameGroupify_ParseGroups_Store, mod->animscenes);
+	Mod_FrameGroupify_ParseGroups(buf, Mod_FrameGroupify_ParseGroups_Store, mod);
 }
 
 /*
-- 
2.39.2