From d9f3b01690e3fa77cdfec7113334b9102127ae2e Mon Sep 17 00:00:00 2001
From: chromaticpipe <chromaticpipe@gmail.com>
Date: Wed, 26 Feb 2025 15:04:20 -0600
Subject: [PATCH] Fix possible buffer overflow in 'va' function

In the original merge request, something was changed regarding console chat not saving, I wasn't able to recreate this issue here but i'm adding it just in case
---
 src/hu_stuff.c | 7 +++++--
 src/m_misc.c   | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/hu_stuff.c b/src/hu_stuff.c
index 7f2560bcc4..91a0d352be 100644
--- a/src/hu_stuff.c
+++ b/src/hu_stuff.c
@@ -395,8 +395,11 @@ void HU_AddChatText(const char *text, boolean playsound)
 
 	if (OLDCHAT) // if we're using oldchat, print directly in console
 		CONS_Printf("%s\n", text);
-	else			// if we aren't, still save the message to log.txt
-		CON_LogMessage(va("%s\n", text));
+	else			// if we aren't, still save the message to log.txt	
+	{
+		CON_LogMessage(text);
+		CON_LogMessage("\n"); // Add newline. Don't use va for that, since `text` might be refering to va's buffer itself
+	}
 }
 
 /** Runs a say command, sending an ::XD_SAY message.
diff --git a/src/m_misc.c b/src/m_misc.c
index 24616e9db4..f8087e8c2b 100644
--- a/src/m_misc.c
+++ b/src/m_misc.c
@@ -1720,7 +1720,7 @@ char *va(const char *format, ...)
 	static char string[1024];
 
 	va_start(argptr, format);
-	vsprintf(string, format, argptr);
+	vsnprintf(string, 1024, format, argptr);
 	va_end(argptr);
 
 	return string;
-- 
GitLab