fix short alloc and heap corruption for winding_accu_t and brush_t - brought about by TTimo/bspc#4

TTimo · TTimo · commit a88ef2068029 · 2016-04-24T15:02:50.000-05:00
diff --git a/tools/quake3/common/polylib.c b/tools/quake3/common/polylib.c
@@ -94,7 +94,7 @@ winding_accu_t *AllocWindingAccu( int points ){
 			c_peak_windings = c_active_windings;
 		}
 	}
-	s = sizeof( vec_accu_t ) * 3 * points + sizeof( int );
+	s = sizeof(*w) + (points > 4 ? sizeof(vec3_accu_t) * (points - 4) : 0);
 	w = safe_malloc( s );
 	memset( w, 0, s );
 	return w;
diff --git a/tools/quake3/q3map2/brush.c b/tools/quake3/q3map2/brush.c
@@ -93,12 +93,7 @@ brush_t *AllocBrush( int numSides ){
 	brush_t     *bb;
 	size_t c;
 
-
-	/* allocate and clear */
-	if ( numSides <= 0 ) {
-		Error( "AllocBrush called with numsides = %d", numSides );
-	}
-	c = (size_t)&( ( (brush_t*) 0 )->sides[ numSides ] );
+	c = sizeof(*bb) + (numSides > 6 ? sizeof(side_t)*(numSides - 6) : 0);
 	bb = safe_malloc( c );
 	memset( bb, 0, c );
 	if ( numthreads == 1 ) {

Original file line number	Diff line number	Diff line change
`@@ -94,7 +94,7 @@ winding_accu_t *AllocWindingAccu( int points ){`
`94`	`94`	`c_peak_windings = c_active_windings;`
`95`	`95`	`}`
`96`	`96`	`}`
`97`		`- s = sizeof( vec_accu_t ) * 3 * points + sizeof( int );`
	`97`	`+ s = sizeof(w) + (points > 4 ? sizeof(vec3_accu_t) (points - 4) : 0);`
`98`	`98`	`w = safe_malloc( s );`
`99`	`99`	`memset( w, 0, s );`
`100`	`100`	`return w;`