From c8553223ec58e534f8c01f6a1565ef9e1820c42b Mon Sep 17 00:00:00 2001
From: Zack Middleton <zack@cloemail.com>
Date: Wed, 15 May 2024 19:32:32 -0500
Subject: [PATCH] Add range check for UI text buffer

It can't overflow because buff and text have the same max length (1024
and MAX_TOKENLENGTH).
---
 code/ui/ui_shared.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/code/ui/ui_shared.c b/code/ui/ui_shared.c
index 74bc77eb..e8b3a10e 100644
--- a/code/ui/ui_shared.c
+++ b/code/ui/ui_shared.c
@@ -3001,6 +3001,7 @@ void Item_Text_Wrapped_Paint(itemDef_t *item) {
 	char text[1024];
 	const char *p, *start, *textPtr;
 	char buff[1024];
+	int length;
 	int width, height;
 	float x, y;
 	vec4_t color;
@@ -3032,11 +3033,14 @@ void Item_Text_Wrapped_Paint(itemDef_t *item) {
 	start = textPtr;
 	p = strchr(textPtr, '\r');
 	while (p && *p) {
-		strncpy(buff, start, p-start+1);
-		buff[p-start] = '\0';
+		length = p-start+1;
+		if (length > sizeof(buff)) {
+			length = sizeof(buff);
+		}
+		Q_strncpyz(buff, start, length);
 		DC->drawText(x, y, item->textscale, color, buff, 0, 0, item->textStyle);
 		y += height + 5;
-		start += p - start + 1;
+		start += length;
 		p = strchr(p+1, '\r');
 	}
 	DC->drawText(x, y, item->textscale, color, start, 0, 0, item->textStyle);