engine: client: fix heap-buffer-overflow in remap when we switch model that have more remap textures than previous

engine/client/cl_remap.c

@@ -41,11 +41,24 @@ CL_CmpStudioTextures
 return true if equal
 ====================
 */
-qboolean CL_CmpStudioTextures( int numtexs, mstudiotexture_t *p1, mstudiotexture_t *p2 )
+static qboolean CL_CmpStudioTextures( int numtexs, mstudiotexture_t *p1, remap_info_t *remap )
 {
 	int	i;
+	mstudiotexture_t *p2;
 
-	if( !p1 || !p2 ) return false;
+	if( !p1 ) // no textures
+		return false;
+
+	if( !remap ) // current model has no remap
+		return false;
+
+	if( !remap->textures ) // shouldn't happen, just in case
+		return false;
+
+	if( numtexs != remap->numtextures ) // amount of textures differs, it's a different model
+		return false;
+
+	p2 = remap->ptexture;
 
 	for( i = 0; i < numtexs; i++, p1++, p2++ )
 	{
@@ -282,10 +295,9 @@ void CL_AllocRemapInfo( cl_entity_t *entity, model_t *model, int topcolor, int b
 		if( !phdr ) return;	// bad model?
 
 		src = (mstudiotexture_t *)(((byte *)phdr) + phdr->textureindex);
-		dst = (clgame.remap_info[i] ? clgame.remap_info[i]->ptexture : NULL);
 
 		// NOTE: we must copy all the structures 'mstudiotexture_t' for easy access when model is rendering
-		if( !CL_CmpStudioTextures( phdr->numtextures, src, dst ) || clgame.remap_info[i]->model != model )
+		if( !CL_CmpStudioTextures( phdr->numtextures, src, clgame.remap_info[i] ) || clgame.remap_info[i]->model != model )
 		{
 			// this code catches studiomodel change with another studiomodel with remap textures
 			// e.g. playermodel 'barney' with playermodel 'gordon'