From 5badc11159e6d754803aefaeff29cdf50e01ebc4 Mon Sep 17 00:00:00 2001
From: mazmazz <mar.marcoz@outlook.com>
Date: Sat, 22 Dec 2018 20:17:50 -0500
Subject: [PATCH] Fix integer overflow on for loop decrements

---
 src/hu_stuff.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/hu_stuff.c b/src/hu_stuff.c
index fc5ae657cc..984d1016d0 100644
--- a/src/hu_stuff.c
+++ b/src/hu_stuff.c
@@ -847,10 +847,13 @@ static inline boolean HU_keyInChatString(char *s, char ch)
 
 				// move everything past c_input for new characters:
 				size_t m = HU_MAXMSGLEN-1;
-				for (;(m>=c_input);m--)
+				while (m>=c_input)
 				{
 					if (s[m])
 						s[m+1] = (s[m]);
+					if (m == 0) // prevent overflow
+						break;
+					m--;
 				}
 				s[c_input] = ch;		// and replace this.
 			}
@@ -1177,11 +1180,13 @@ boolean HU_Responder(event_t *ev)
 			else	// otherwise, we need to shift everything and make space, etc etc
 			{
 				size_t i = HU_MAXMSGLEN-1;
-				for (; i>=c_input;i--)
+				while (i >= c_input)
 				{
 					if (w_chat[i])
 						w_chat[i+pastelen] = w_chat[i];
-
+					if (i == 0) // prevent overflow
+						break;
+					i--;
 				}
 				memcpy(&w_chat[c_input], paste, pastelen);	// copy all of that.
 				c_input += pastelen;
-- 
GitLab