PRVM: fix incorrect tempstring length in VM_tokenizebyseparator()

This caused memcpy() in PRVM_SetTempString() to copy too many bytes, when the source string had the maximum length it could read past the end and trigger a segfault. Bug was introduced in 26a665f and looks to be specific to that builtin. Signed-off-by: bones_was_here <[email protected]>
DarkPlacesEngine · Jul 23, 2024 · ffc8287 · ffc8287
1 parent 9c29f2a
commit ffc8287
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/prvm_cmds.c b/prvm_cmds.c
@@ -2790,8 +2790,8 @@ void VM_tokenizebyseparator (prvm_prog_t *prog)
  tokens_endpos[num_tokens] = p0 - tokenize_string;
  if (j >= (int)sizeof(tokentext))
  break;
- tokentext[j++] = '\0';
- tokens[num_tokens++] = PRVM_SetTempString(prog, token, j - 1);
+ tokentext[j] = '\0';
+ tokens[num_tokens++] = PRVM_SetTempString(prog, token, j++ - (token - tokentext));
  if (!*p)
  break;
  }