From 6680d394e859853516f54ecaed907e68f69428d2 Mon Sep 17 00:00:00 2001
From: Garux <garux@mail.ru>
Date: Sat, 23 Feb 2019 00:02:58 +0300
Subject: [PATCH] fix use after free (freed by realloc in EmitShader)

---
 tools/quake3/q3map2/lightmaps_ydnar.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/tools/quake3/q3map2/lightmaps_ydnar.c b/tools/quake3/q3map2/lightmaps_ydnar.c
index f9ff6c7e..4ccc6e18 100644
--- a/tools/quake3/q3map2/lightmaps_ydnar.c
+++ b/tools/quake3/q3map2/lightmaps_ydnar.c
@@ -3512,7 +3512,9 @@ void StoreSurfaceLightmaps( qboolean fastAllocate ){
 
 			/* store it */
 			//%	Sys_Printf( "Emitting: %s (%d", csi->shader, strlen( csi->shader ) );
-			ds->shaderNum = EmitShader( csi->shader, &bspShaders[ ds->shaderNum ].contentFlags, &bspShaders[ ds->shaderNum ].surfaceFlags );
+			int cont = bspShaders[ ds->shaderNum ].contentFlags;
+			int surf = bspShaders[ ds->shaderNum ].surfaceFlags;
+			ds->shaderNum = EmitShader( csi->shader, &cont, &surf );
 			//%	Sys_Printf( ")\n" );
 		}
 
@@ -3530,13 +3532,17 @@ void StoreSurfaceLightmaps( qboolean fastAllocate ){
 
 			/* store it */
 			//%	Sys_Printf( "Emitting: %s (%d", csi->shader, strlen( csi->shader ) );
-			ds->shaderNum = EmitShader( csi->shader, &bspShaders[ ds->shaderNum ].contentFlags, &bspShaders[ ds->shaderNum ].surfaceFlags );
+			int cont = bspShaders[ ds->shaderNum ].contentFlags;
+			int surf = bspShaders[ ds->shaderNum ].surfaceFlags;
+			ds->shaderNum = EmitShader( csi->shader, &cont, &surf );
 			//%	Sys_Printf( ")\n" );
 		}
 
 		/* use the normal plain-jane shader */
 		else{
-			ds->shaderNum = EmitShader( info->si->shader, &bspShaders[ ds->shaderNum ].contentFlags, &bspShaders[ ds->shaderNum ].surfaceFlags );
+			int cont = bspShaders[ ds->shaderNum ].contentFlags;
+			int surf = bspShaders[ ds->shaderNum ].surfaceFlags;
+			ds->shaderNum = EmitShader( info->si->shader, &cont, &surf );
 		}
 	}