From bb0f368080a587f9f79f1653c38d5b0e33a99fc5 Mon Sep 17 00:00:00 2001
From: NepDisk <nepdisk@noreply.codeberg.org>
Date: Thu, 16 Oct 2025 14:07:44 -0400
Subject: [PATCH] G_SaveDemo: fix oob reads/writes for replay names

https://github.com/Indev450/SRB2Kart-Saturn/commit/66f67c91e8614e44ec7eb330f22d0be1cf2534b3
---
 src/g_demo.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/g_demo.c b/src/g_demo.c
index 9252fb1eb..df2a65333 100644
--- a/src/g_demo.c
+++ b/src/g_demo.c
@@ -4397,7 +4397,8 @@ void G_SaveDemo(void)
 		size_t i, strindex = 0;
 		boolean dash = true;
 
-		for (i = 0; demo.titlename[i] && i < 127; i++)
+		//for (i = 0; demo.titlename[i] && i < 127; i++) ?????
+		for (i = 0; i < 64 && demo.titlename[i]; i++)
 		{
 			if ((demo.titlename[i] >= 'a' && demo.titlename[i] <= 'z') ||
 				(demo.titlename[i] >= '0' && demo.titlename[i] <= '9'))
@@ -4429,9 +4430,19 @@ void G_SaveDemo(void)
 		if (demo_slug[0] != '\0')
 		{
 			// Slug is valid, write the chosen filename.
-			writepoint = strstr(strrchr(demoname, *PATHSEP), "-") + 1;
-			demo_slug[128 - (writepoint - demoname) - 4] = 0;
-			sprintf(writepoint, "%s.lmp", demo_slug);
+			writepoint = strstr(strrchr(demoname, *PATHSEP), "-");
+			if (!writepoint)
+				return;
+
+			writepoint++;
+
+			size_t flen = 128 - (writepoint - demoname) - 4;
+
+			if (flen > 0 && flen < 128)
+			{
+				demo_slug[flen] = '\0';
+				sprintf(writepoint, "%s.lmp", demo_slug);
+			}
 		}
 	}