From 4cc716a0f5198f9ad9e32d79de14db535ae51c12 Mon Sep 17 00:00:00 2001
From: Turo Lamminen <turotl@gmail.com>
Date: Tue, 11 Aug 2015 14:32:26 +0300
Subject: [PATCH] MDL: Fix read past end of buffer with malformed input

---
 code/MDLLoader.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/code/MDLLoader.cpp b/code/MDLLoader.cpp
index 60c92661b..c5b8d63c3 100644
--- a/code/MDLLoader.cpp
+++ b/code/MDLLoader.cpp
@@ -355,6 +355,9 @@ void MDLImporter::InternReadFile_Quake1( )
     for (unsigned int i = 0; i < (unsigned int)pcHeader->num_skins;++i)
     {
         union{BE_NCONST MDL::Skin* pcSkin;BE_NCONST MDL::GroupSkin* pcGroupSkin;};
+        if (szCurrent + sizeof(MDL::Skin) > this->mBuffer + this->iFileSize) {
+            throw DeadlyImportError("[Quake 1 MDL] Unexpected EOF");
+        }
         pcSkin = (BE_NCONST MDL::Skin*)szCurrent;
 
         AI_SWAP4( pcSkin->group );