Fix use-after-free when calling v.drawString in Lua

Since the release of 2.2.11, it's gotten kinda rough to track down crash-related bugs due to all the simple ones being fixed. As such, I once again brought out the big guns with MemorySanitizer, and I found that the v.drawString Lua function has a small chance of segfaulting due to use-after-free. This is because the engine uses a shared memory buffer for all strings that are rendered on-screen, and this buffer is resized using Z_ReallocAlign. The problem here is that since there's no guarantee that there is enough memory for it to grow in-place, it might need to move the memory address where the buffer is stored. This causes all pointers used in strings to now be dangling, since they still point towards the old address.

The fix simply re-aligns the addresses by adding the string addresses to the offset of the old vs the new address, thus correctly pointing the addresses to the new memory address.

src/lua_hudlib_drawlist.c

@@ -177,9 +177,18 @@ static const char *CopyString(huddrawlist_h list, const char* str)
 	lenstr = strlen(str);
 	if (list->strbuf_capacity <= list->strbuf_len + lenstr + 1)
 	{
+		const char *old_offset = list->strbuf;
+		size_t i;
 		if (list->strbuf_capacity == 0) list->strbuf_capacity = 256;
 		else list->strbuf_capacity *= 2;
 		list->strbuf = (char*) Z_Realloc(list->strbuf, sizeof(char) * list->strbuf_capacity, PU_STATIC, NULL);
+
+		// align the string pointers to make sure old pointers don't point towards invalid addresses
+		// this is necessary since Z_ReallocAlign might actually move the string buffer in memory
+		for (i = 0; i < list->items_len; i++)
+		{
+			list->items[i].str += list->strbuf - old_offset;
+		}
 	}
 	const char *result = (const char *) &list->strbuf[list->strbuf_len];
 	strncpy(&list->strbuf[list->strbuf_len], str, lenstr + 1);