7 files changed, 129 insertions, 20 deletions

diff --git a/src/qcommon/common.c b/src/qcommon/common.c
index 44174ead..a33eb6fd 100644
--- a/src/qcommon/common.c
+++ b/src/qcommon/common.c
@@ -77,6 +77,8 @@ cvar_t	*com_blood;
 cvar_t	*com_buildScript;	// for automated data building scripts
 cvar_t	*cl_paused;
 cvar_t	*sv_paused;
+cvar_t  *cl_packetdelay;
+cvar_t  *sv_packetdelay;
 cvar_t	*com_cameraMode;
 #if defined(_WIN32) && defined(_DEBUG)
 cvar_t	*com_noErrorInterrupt;
@@ -2085,6 +2087,7 @@ int Com_EventLoop( void ) {
 	MSG_Init( &buf, bufData, sizeof( bufData ) );
 
 	while ( 1 ) {
+		NET_FlushPacketQueue();
 		ev = Com_GetEvent();
 
 		// if no more events are available
@@ -2358,6 +2361,8 @@ void Com_Init( char *commandLine ) {
 
 	cl_paused = Cvar_Get ("cl_paused", "0", CVAR_ROM);
 	sv_paused = Cvar_Get ("sv_paused", "0", CVAR_ROM);
+	cl_packetdelay = Cvar_Get ("cl_packetdelay", "0", CVAR_CHEAT);
+	sv_packetdelay = Cvar_Get ("sv_packetdelay", "0", CVAR_CHEAT);
 	com_sv_running = Cvar_Get ("sv_running", "0", CVAR_ROM);
 	com_cl_running = Cvar_Get ("cl_running", "0", CVAR_ROM);
 	com_buildScript = Cvar_Get( "com_buildScript", "0", 0 );
diff --git a/src/qcommon/files.c b/src/qcommon/files.c
index c5b46607..9e9d21d0 100644
--- a/src/qcommon/files.c
+++ b/src/qcommon/files.c
@@ -2591,15 +2591,16 @@ we are not interested in a download string format, we want something human-reada
 qboolean FS_ComparePaks( char *neededpaks, int len, qboolean dlstring ) {
 	searchpath_t	*sp;
 	qboolean havepak, badchecksum;
+	char *origpos = neededpaks;
 	int i;
 
-	if ( !fs_numServerReferencedPaks ) {
+	if (!fs_numServerReferencedPaks)
 		return qfalse; // Server didn't send any pack information along
-	}
 
 	*neededpaks = 0;
 
-	for ( i = 0 ; i < fs_numServerReferencedPaks ; i++ ) {
+	for ( i = 0 ; i < fs_numServerReferencedPaks ; i++ )
+	{
 		// Ok, see if we have this pak file
 		badchecksum = qfalse;
 		havepak = qfalse;
@@ -2609,6 +2610,13 @@ qboolean FS_ComparePaks( char *neededpaks, int len, qboolean dlstring ) {
 			continue;
 		}
 
+		// Make sure the server cannot make us write to non-quake3 directories.
+		if(strstr(fs_serverReferencedPakNames[i], "../") || strstr(fs_serverReferencedPakNames[i], "..\\"))
+                {
+			Com_Printf("WARNING: Invalid download name %s\n", fs_serverReferencedPakNames[i]);
+                        continue;
+                }
+
 		for ( sp = fs_searchpaths ; sp ; sp = sp->next ) {
 			if ( sp->pack && sp->pack->checksum == fs_serverReferencedPaks[i] ) {
 				havepak = qtrue; // This is it!
@@ -2621,6 +2629,12 @@ qboolean FS_ComparePaks( char *neededpaks, int len, qboolean dlstring ) {
 
       if (dlstring)
       {
+	// We need this to make sure we won't hit the end of the buffer or the server could
+	// overwrite non-pk3 files on clients by writing so much crap into neededpaks that
+	// Q_strcat cuts off the .pk3 extension.
+	
+	origpos += strlen(origpos);
+	
         // Remote name
         Q_strcat( neededpaks, len, "@");
         Q_strcat( neededpaks, len, fs_serverReferencedPakNames[i] );
@@ -2641,6 +2655,14 @@ qboolean FS_ComparePaks( char *neededpaks, int len, qboolean dlstring ) {
           Q_strcat( neededpaks, len, fs_serverReferencedPakNames[i] );
           Q_strcat( neededpaks, len, ".pk3" );
         }
+        
+        // Find out whether it might have overflowed the buffer and don't add this file to the
+        // list if that is the case.
+        if(strlen(origpos) + (origpos - neededpaks) >= len - 1)
+	{
+		*origpos = '\0';
+		break;
+	}
       }
       else
       {
@@ -3146,7 +3168,7 @@ checksums to see if any pk3 files need to be auto-downloaded.
 =====================
 */
 void FS_PureServerSetReferencedPaks( const char *pakSums, const char *pakNames ) {
-	int		i, c, d;
+	int		i, c, d = 0;
 
 	Cmd_TokenizeString( pakSums );
 
@@ -3155,30 +3177,36 @@ void FS_PureServerSetReferencedPaks( const char *pakSums, const char *pakNames )
 		c = MAX_SEARCH_PATHS;
 	}
 
-	fs_numServerReferencedPaks = c;
-
 	for ( i = 0 ; i < c ; i++ ) {
 		fs_serverReferencedPaks[i] = atoi( Cmd_Argv( i ) );
 	}
 
-	for ( i = 0 ; i < c ; i++ ) {
-		if (fs_serverReferencedPakNames[i]) {
+	for (i = 0 ; i < sizeof(fs_serverReferencedPakNames) / sizeof(*fs_serverReferencedPakNames); i++)
+	{
+		if(fs_serverReferencedPakNames[i])
 			Z_Free(fs_serverReferencedPakNames[i]);
-		}
+
 		fs_serverReferencedPakNames[i] = NULL;
 	}
+
 	if ( pakNames && *pakNames ) {
 		Cmd_TokenizeString( pakNames );
 
 		d = Cmd_Argc();
-		if ( d > MAX_SEARCH_PATHS ) {
-			d = MAX_SEARCH_PATHS;
-		}
+
+		if(d > c)
+			d = c;
 
 		for ( i = 0 ; i < d ; i++ ) {
 			fs_serverReferencedPakNames[i] = CopyString( Cmd_Argv( i ) );
 		}
 	}
+	
+	// ensure that there are as many checksums as there are pak names.
+	if(d < c)
+		c = d;
+	
+	fs_numServerReferencedPaks = c;	
 }
 
 /*
diff --git a/src/qcommon/md4.c b/src/qcommon/md4.c
index 2501b2b6..838b062e 100644
--- a/src/qcommon/md4.c
+++ b/src/qcommon/md4.c
@@ -159,10 +159,10 @@ static void mdfour_update(struct mdfour *md, byte *in, int n)
 {
 	uint32_t M[16];
 
-	if (n == 0) mdfour_tail(in, n);
-
 	m = md;
 
+	if (n == 0) mdfour_tail(in, n);
+
 	while (n >= 64) {
 		copy64(M, in);
 		mdfour64(M);
diff --git a/src/qcommon/msg.c b/src/qcommon/msg.c
index da96dab9..e4db4d8e 100644
--- a/src/qcommon/msg.c
+++ b/src/qcommon/msg.c
@@ -469,6 +469,10 @@ char *MSG_ReadBigString( msg_t *msg ) {
 		if ( c == '%' ) {
 			c = '.';
 		}
+		// don't allow higher ascii values
+		if ( c > 127 ) {
+			c = '.';
+		}
 
 		string[l] = c;
 		l++;
@@ -493,6 +497,11 @@ char *MSG_ReadStringLine( msg_t *msg ) {
 		if ( c == '%' ) {
 			c = '.';
 		}
+		// don't allow higher ascii values
+		if ( c > 127 ) {
+			c = '.';
+		}
+
 		string[l] = c;
 		l++;
 	} while (l < sizeof(string)-1);
diff --git a/src/qcommon/net_chan.c b/src/qcommon/net_chan.c
index 4df95c46..9dd41589 100644
--- a/src/qcommon/net_chan.c
+++ b/src/qcommon/net_chan.c
@@ -614,6 +614,62 @@ void NET_SendLoopPacket (netsrc_t sock, int length, const void *data, netadr_t t
 
 //=============================================================================
 
+typedef struct packetQueue_s {
+        struct packetQueue_s *next;
+        int length;
+        byte *data;
+        netadr_t to;
+        int release;
+} packetQueue_t;
+
+packetQueue_t *packetQueue = NULL;
+
+static void NET_QueuePacket( int length, const void *data, netadr_t to,
+	int offset )
+{
+	packetQueue_t *new, *next = packetQueue;
+
+	if(offset > 999)
+		offset = 999;
+
+	new = S_Malloc(sizeof(packetQueue_t));
+	new->data = S_Malloc(length);
+	Com_Memcpy(new->data, data, length);
+	new->length = length;
+	new->to = to;
+	new->release = Sys_Milliseconds() + offset;	
+	new->next = NULL;
+
+	if(!packetQueue) {
+		packetQueue = new;
+		return;
+	}
+	while(next) {
+		if(!next->next) {
+			next->next = new;
+			return;
+		}
+		next = next->next;
+	}
+}
+
+void NET_FlushPacketQueue(void)
+{
+	packetQueue_t *last;
+	int now;
+
+	while(packetQueue) {
+		now = Sys_Milliseconds();
+		if(packetQueue->release >= now)
+			break;
+		Sys_SendPacket(packetQueue->length, packetQueue->data,
+			packetQueue->to);
+		last = packetQueue;
+		packetQueue = packetQueue->next;
+		Z_Free(last->data);
+		Z_Free(last);
+	}
+}
 
 void NET_SendPacket( netsrc_t sock, int length, const void *data, netadr_t to ) {
 
@@ -630,7 +686,15 @@ void NET_SendPacket( netsrc_t sock, int length, const void *data, netadr_t to )
 		return;
 	}
 
-	Sys_SendPacket( length, data, to );
+	if ( sock == NS_CLIENT && cl_packetdelay->integer > 0 ) {
+		NET_QueuePacket( length, data, to, cl_packetdelay->integer );
+	}
+	else if ( sock == NS_SERVER && sv_packetdelay->integer > 0 ) {
+		NET_QueuePacket( length, data, to, sv_packetdelay->integer );
+	}
+	else {
+		Sys_SendPacket( length, data, to );
+	}
 }
 
 /*
diff --git a/src/qcommon/qcommon.h b/src/qcommon/qcommon.h
index b21b5958..9cb03b6f 100644
--- a/src/qcommon/qcommon.h
+++ b/src/qcommon/qcommon.h
@@ -157,7 +157,7 @@ void		NET_Init( void );
 void		NET_Shutdown( void );
 void		NET_Restart( void );
 void		NET_Config( qboolean enableNetworking );
-
+void		NET_FlushPacketQueue(void);
 void		NET_SendPacket (netsrc_t sock, int length, const void *data, netadr_t to);
 void		QDECL NET_OutOfBandPrint( netsrc_t net_socket, netadr_t adr, const char *format, ...);
 void		QDECL NET_OutOfBandData( netsrc_t sock, netadr_t adr, byte *format, int len );
@@ -750,6 +750,9 @@ extern	cvar_t	*com_altivec;
 extern	cvar_t	*cl_paused;
 extern	cvar_t	*sv_paused;
 
+extern	cvar_t	*cl_packetdelay;
+extern	cvar_t	*sv_packetdelay;
+
 // com_speeds times
 extern	int		time_game;
 extern	int		time_frontend;
diff --git a/src/qcommon/vm_ppc_new.c b/src/qcommon/vm_ppc_new.c
index 42a03a50..a731d653 100644
--- a/src/qcommon/vm_ppc_new.c
+++ b/src/qcommon/vm_ppc_new.c
@@ -1107,7 +1107,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 		#endif
 		assertInteger(opStackDepth-1);
 		assertInteger(opStackDepth-2);
-                Inst( "cmp", PPC_CMP, 0, opStackIntRegisters[opStackDepth-2], opStackIntRegisters[opStackDepth-1] );
+                Inst( "cmpl", PPC_CMPL, 0, opStackIntRegisters[opStackDepth-2], opStackIntRegisters[opStackDepth-1] );
 		opStackRegType[opStackDepth-1] = 0;
 		opStackRegType[opStackDepth-2] = 0;
 		opStackLoadInstructionAddr[opStackDepth-1] = 0;
@@ -1131,7 +1131,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 		#endif
 		assertInteger(opStackDepth-1);
 		assertInteger(opStackDepth-2);
-                Inst( "cmp", PPC_CMP, 0, opStackIntRegisters[opStackDepth-2], opStackIntRegisters[opStackDepth-1] );
+                Inst( "cmpl", PPC_CMPL, 0, opStackIntRegisters[opStackDepth-2], opStackIntRegisters[opStackDepth-1] );
 		opStackRegType[opStackDepth-1] = 0;
 		opStackRegType[opStackDepth-2] = 0;
 		opStackLoadInstructionAddr[opStackDepth-1] = 0;
@@ -1155,7 +1155,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 		#endif
 		assertInteger(opStackDepth-1);
 		assertInteger(opStackDepth-2);
-                Inst( "cmp", PPC_CMP, 0, opStackIntRegisters[opStackDepth-2], opStackIntRegisters[opStackDepth-1] );
+                Inst( "cmpl", PPC_CMPL, 0, opStackIntRegisters[opStackDepth-2], opStackIntRegisters[opStackDepth-1] );
 		opStackRegType[opStackDepth-1] = 0;
 		opStackRegType[opStackDepth-2] = 0;
 		opStackLoadInstructionAddr[opStackDepth-1] = 0;
@@ -1179,7 +1179,7 @@ void VM_Compile( vm_t *vm, vmHeader_t *header ) {
 		#endif
 		assertInteger(opStackDepth-1);
 		assertInteger(opStackDepth-2);
-                Inst( "cmp", PPC_CMP, 0, opStackIntRegisters[opStackDepth-2], opStackIntRegisters[opStackDepth-1] );
+                Inst( "cmpl", PPC_CMPL, 0, opStackIntRegisters[opStackDepth-2], opStackIntRegisters[opStackDepth-1] );
 		opStackRegType[opStackDepth-1] = 0;
 		opStackRegType[opStackDepth-2] = 0;
 		opStackLoadInstructionAddr[opStackDepth-1] = 0;