From ffc82878f0b92b5313b27a7a74e0fab91d8d8d25 Mon Sep 17 00:00:00 2001
From: bones_was_here <bones_was_here@xonotic.au>
Date: Wed, 24 Jul 2024 01:35:18 +1000
Subject: [PATCH] PRVM: fix incorrect tempstring length in
 VM_tokenizebyseparator()

This caused memcpy() in PRVM_SetTempString() to copy too many bytes,
when the source string had the maximum length it could read past the end
and trigger a segfault.
Bug was introduced in 26a665ff43052862131df3c63785f91861989fc8 and looks
to be specific to that builtin.

Signed-off-by: bones_was_here <bones_was_here@xonotic.au>
---
 prvm_cmds.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/prvm_cmds.c b/prvm_cmds.c
index 3eb34154..03eb39a8 100644
--- a/prvm_cmds.c
+++ b/prvm_cmds.c
@@ -2790,8 +2790,8 @@ void VM_tokenizebyseparator (prvm_prog_t *prog)
 		tokens_endpos[num_tokens] = p0 - tokenize_string;
 		if (j >= (int)sizeof(tokentext))
 			break;
-		tokentext[j++] = '\0';
-		tokens[num_tokens++] = PRVM_SetTempString(prog, token, j - 1);
+		tokentext[j] = '\0';
+		tokens[num_tokens++] = PRVM_SetTempString(prog, token, j++ - (token - tokentext));
 		if (!*p)
 			break;
 	}
-- 
2.39.2