From 1c49d76fb7bbffdd2402eb21878e93b557763049 Mon Sep 17 00:00:00 2001
From: mittorn <mittorn@sibmail.com>
Date: Mon, 1 Apr 2019 01:55:37 +0700
Subject: [PATCH] ref_soft: Fix some integer overflows

---
 r_polyse.c | 11 +++++++++++
 r_rast.c   | 12 ++++++++++++
 r_triapi.c | 36 ++++++++++++++++++------------------
 3 files changed, 41 insertions(+), 18 deletions(-)

diff --git a/r_polyse.c b/r_polyse.c
index b1719a33..3f9fddce 100644
--- a/r_polyse.c
+++ b/r_polyse.c
@@ -306,6 +306,17 @@ void FloorDivMod (float numer, float denom, int *quotient,
 			r = (int)denom - r;
 		}
 	}
+	if( q > INT_MAX / 2 || q < INT_MIN / 2 )
+	{
+		gEngfuncs.Con_Printf( S_ERROR"FloorDivMod: q overflow!\n" );
+		q = 1;
+	}
+
+	if( r > INT_MAX / 2 || r < INT_MIN / 2 )
+	{
+		gEngfuncs.Con_Printf( S_ERROR "FloorDivMod: r overflow!\n");
+		r = 1;
+	}
 
 	*quotient = q;
 	*rem = r;
diff --git a/r_rast.c b/r_rast.c
index fee7619c..fb326714 100644
--- a/r_rast.c
+++ b/r_rast.c
@@ -332,6 +332,12 @@ void R_EmitEdge (mvertex_t *pv0, mvertex_t *pv1)
 		v = ceilv0;
 		v2 = r_ceilv1 - 1;
 
+		if( v < 0 || v > MAXHEIGHT )
+		{
+			gEngfuncs.Con_Printf( S_ERROR "trailing edge overflow : %d\n", v );
+			return;
+		}
+
 		edge->surfs[0] = surface_p - surfaces;
 		edge->surfs[1] = 0;
 
@@ -344,6 +350,12 @@ void R_EmitEdge (mvertex_t *pv0, mvertex_t *pv1)
 		v2 = ceilv0 - 1;
 		v = r_ceilv1;
 
+		if( v < 0 || v > MAXHEIGHT )
+		{
+			gEngfuncs.Con_Printf( S_ERROR "leading edge overflow : %d\n", v );
+			return;
+		}
+
 		edge->surfs[0] = 0;
 		edge->surfs[1] = surface_p - surfaces;
 
diff --git a/r_triapi.c b/r_triapi.c
index cb477f5c..6b26752a 100644
--- a/r_triapi.c
+++ b/r_triapi.c
@@ -225,28 +225,28 @@ TriTexCoord2f
 
 =============
 */
-void TriTexCoord2f( float u, float v )
+void TriTexCoord2f( volatile float u, volatile float v )
 {
-	//pglTexCoord2f( u, v );
-	u = fmod(u, 10);
-	v = fmod(v, 10);
-	if( isnan(u) )
-		u = 0;
-	if( isnan(v))
-		v = 0;
-	while( u < 0 )
-		u = u + 1;
-	while( v < 0 )
-		v = v + 1;
+	volatile double u1 = 0, v1 = 0;
+	u = fmodf(u, 10);
+	v = fmodf(v, 10);
+	if( u < 1000 && u > -1000 )
+		u1 = u;
+	if( v < 1000 && v > -1000 )
+		v1 = v;
+	while( u1 < 0 )
+		u1 = u1 + 1;
+	while( v1 < 0 )
+		v1 = v1 + 1;
 
-	while( u > 1 )
-		u = u - 1;
-	while( v > 1 )
-		v = v - 1;
+	while( u1 > 1 )
+		u1 = u1 - 1;
+	while( v1 > 1 )
+		v1 = v1 - 1;
 
 
-	s = r_affinetridesc.skinwidth * bound(0.01,u,0.99);
-	t = r_affinetridesc.skinheight * bound(0.01,v,0.99);
+	s = r_affinetridesc.skinwidth * bound(0,u1,1);
+	t = r_affinetridesc.skinheight * bound(0,v1,1);
 }
 
 /*