From ffc82878f0b92b5313b27a7a74e0fab91d8d8d25 Mon Sep 17 00:00:00 2001 From: bones_was_here Date: Wed, 24 Jul 2024 01:35:18 +1000 Subject: [PATCH] PRVM: fix incorrect tempstring length in VM_tokenizebyseparator() This caused memcpy() in PRVM_SetTempString() to copy too many bytes, when the source string had the maximum length it could read past the end and trigger a segfault. Bug was introduced in 26a665ff43052862131df3c63785f91861989fc8 and looks to be specific to that builtin. Signed-off-by: bones_was_here --- prvm_cmds.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/prvm_cmds.c b/prvm_cmds.c index 3eb341544..03eb39a8f 100644 --- a/prvm_cmds.c +++ b/prvm_cmds.c @@ -2790,8 +2790,8 @@ void VM_tokenizebyseparator (prvm_prog_t *prog) tokens_endpos[num_tokens] = p0 - tokenize_string; if (j >= (int)sizeof(tokentext)) break; - tokentext[j++] = '\0'; - tokens[num_tokens++] = PRVM_SetTempString(prog, token, j - 1); + tokentext[j] = '\0'; + tokens[num_tokens++] = PRVM_SetTempString(prog, token, j++ - (token - tokentext)); if (!*p) break; }