From 03115599a1933922c9533bcf4eb5ecb447e9700f Mon Sep 17 00:00:00 2001 From: cloudwalk Date: Wed, 30 Sep 2020 12:54:18 +0000 Subject: [PATCH] cmd: Fix integer overflow of cbuf->size when using defer. The size variable is used to track the size of the text buffers for each node for allocation purposes. These never get smaller, and the cbuf->size variable decrements based on length rather than size. Eventually this causes an integer overflow. git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@12976 d7cf8633-e32d-0410-b094-e92efae38249 --- cmd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd.c b/cmd.c index aa6eea83..08da25ac 100644 --- a/cmd.c +++ b/cmd.c @@ -423,7 +423,7 @@ static void Cbuf_Execute_Deferred (cmd_buf_t *cbuf) current->delay -= eat; if(current->delay <= 0) { - cbuf->size += current->size; + cbuf->size += current->length; List_Move(pos, &cbuf->start); // We must return and come back next frame or the engine will freeze. Fragile... like glass :3 return; -- 2.39.2