From d49701f8edb1e574649533f5b4feef64b3a8c296 Mon Sep 17 00:00:00 2001
From: divverent <divverent@d7cf8633-e32d-0410-b094-e92efae38249>
Date: Sun, 12 Apr 2009 19:06:39 +0000
Subject: [PATCH] fix crash in substring()

git-svn-id: svn://svn.icculus.org/twilight/trunk/darkplaces@8912 d7cf8633-e32d-0410-b094-e92efae38249
---
 prvm_cmds.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/prvm_cmds.c b/prvm_cmds.c
index a82c0179..aee1cb7c 100644
--- a/prvm_cmds.c
+++ b/prvm_cmds.c
@@ -2101,7 +2101,7 @@ string	substring(string s, float start, float length)
 // returns a section of a string as a tempstring
 void VM_substring(void)
 {
-	int start, length, slength;
+	int start, length, slength, maxlen;
 	const char *s;
 	char string[VM_STRINGTEMP_LENGTH];
 
@@ -2111,13 +2111,16 @@ void VM_substring(void)
 	start = (int)PRVM_G_FLOAT(OFS_PARM1);
 	length = (int)PRVM_G_FLOAT(OFS_PARM2);
 	slength = strlen(s);
-	if (length < 0) // FTE_STRINGS feature
-		length += slength - start;
+
 	if (start < 0) // FTE_STRINGS feature
 		start += slength;
-	start = bound(0, start, slength); // consistent with php 5.2.0 but not 5.2.3
-	length = min(length, (int)sizeof(string) - 1);
-	length = min(length, slength - start);
+	start = bound(0, start, slength);
+
+	if (length < 0) // FTE_STRINGS feature
+		length += slength - start;
+	maxlen = min((int)sizeof(string) - 1, slength - start);
+	length = bound(0, length, maxlen);
+
 	memcpy(string, s + start, length);
 	string[length] = 0;
 	PRVM_G_INT(OFS_RETURN) = PRVM_SetTempString(string);
-- 
2.39.2