From e90d6e8e65843f7051ee56ea671c78f5af2c1f5a Mon Sep 17 00:00:00 2001
From: divverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
Date: Sun, 5 Jul 2009 18:47:14 +0000
Subject: [PATCH] fix buffer overruns in sv.model_precache

git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@9043 d7cf8633-e32d-0410-b094-e92efae38249
---
 sv_main.c   | 2 +-
 sv_phys.c   | 2 +-
 svvm_cmds.c | 8 ++++----
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/sv_main.c b/sv_main.c
index 96b4ae0d..eb5bbda4 100644
--- a/sv_main.c
+++ b/sv_main.c
@@ -2908,7 +2908,7 @@ void SV_SpawnServer (const char *server)
 
 	strlcpy(sv.model_precache[0], "", sizeof(sv.model_precache[0]));
 	strlcpy(sv.model_precache[1], sv.modelname, sizeof(sv.model_precache[1]));
-	for (i = 1;i < sv.worldmodel->brush.numsubmodels;i++)
+	for (i = 1;i < sv.worldmodel->brush.numsubmodels && i+1 < MAX_MODELS;i++)
 	{
 		dpsnprintf(sv.model_precache[i+1], sizeof(sv.model_precache[i+1]), "*%i", i);
 		sv.models[i+1] = Mod_ForName (sv.model_precache[i+1], false, false, sv.modelname);
diff --git a/sv_phys.c b/sv_phys.c
index bc4d42f1..1b515b46 100644
--- a/sv_phys.c
+++ b/sv_phys.c
@@ -392,7 +392,7 @@ void SV_LinkEdict (prvm_edict_t *ent, qboolean touch_triggers)
 	if (ent->fields.server->solid == SOLID_BSP)
 	{
 		int modelindex = (int)ent->fields.server->modelindex;
-		if (modelindex < 0 || modelindex > MAX_MODELS)
+		if (modelindex < 0 || modelindex >= MAX_MODELS)
 		{
 			Con_Printf("edict %i: SOLID_BSP with invalid modelindex!\n", PRVM_NUM_FOR_EDICT(ent));
 			modelindex = 0;
diff --git a/svvm_cmds.c b/svvm_cmds.c
index 8bd628f5..19837c3d 100644
--- a/svvm_cmds.c
+++ b/svvm_cmds.c
@@ -2691,7 +2691,7 @@ int SV_GetTagMatrix (matrix4x4_t *out, prvm_edict_t *ent, int tagindex)
 		return 2;
 
 	modelindex = (int)ent->fields.server->modelindex;
-	if (modelindex <= 0 || modelindex > MAX_MODELS)
+	if (modelindex <= 0 || modelindex >= MAX_MODELS)
 		return 3;
 
 	model = sv.models[modelindex];
@@ -2783,7 +2783,7 @@ static void VM_SV_gettagindex (void)
 
 	modelindex = (int)ent->fields.server->modelindex;
 	tag_index = 0;
-	if (modelindex <= 0 || modelindex > MAX_MODELS)
+	if (modelindex <= 0 || modelindex >= MAX_MODELS)
 		Con_DPrintf("gettagindex(entity #%i): null or non-precached model\n", PRVM_NUM_FOR_EDICT(ent));
 	else
 	{
@@ -2950,7 +2950,7 @@ static void VM_SV_setmodelindex (void)
 		return;
 	}
 	i = (int)PRVM_G_FLOAT(OFS_PARM1);
-	if (i <= 0 || i > MAX_MODELS)
+	if (i <= 0 || i >= MAX_MODELS)
 	{
 		VM_Warning("setmodelindex: invalid modelindex\n");
 		return;
@@ -2986,7 +2986,7 @@ static void VM_SV_modelnameforindex (void)
 	PRVM_G_INT(OFS_RETURN) = OFS_NULL;
 
 	i = (int)PRVM_G_FLOAT(OFS_PARM0);
-	if (i <= 0 || i > MAX_MODELS)
+	if (i <= 0 || i >= MAX_MODELS)
 	{
 		VM_Warning("modelnameforindex: invalid modelindex\n");
 		return;
-- 
2.39.2