From e31285fbadf76b1edf7ffc17ddfc06e9c204821a Mon Sep 17 00:00:00 2001
From: Loek Le Blansch <loek@pipeframe.xyz>
Date: Sun, 6 Oct 2024 19:02:24 +0200
Subject: fix buffer overrun (fiddling finally working consistently)

---
 src/frontend/qt_sdl/LocalMP.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/frontend/qt_sdl/LocalMP.cpp b/src/frontend/qt_sdl/LocalMP.cpp
index 8d3dd8a..a18a64f 100644
--- a/src/frontend/qt_sdl/LocalMP.cpp
+++ b/src/frontend/qt_sdl/LocalMP.cpp
@@ -489,6 +489,7 @@ int SendPacketGeneric(u32 type, u8* packet, int len, u64 timestamp)
 
 #ifdef VSR_MESSAGE_FIDDLING
         u16 pcmeta_type = *(u16*)(packet + 0x2a);
+        u16 pcmeta_body_len = *(u8*)(packet + 0x30);
         if (fiddle && type == 1 && pictochat && pcmeta_type == 2) { // content type is message fragment
             unsigned safe = 0;
 
@@ -499,7 +500,7 @@ int SendPacketGeneric(u32 type, u8* packet, int len, u64 timestamp)
                 safe = 0x24; // don't touch the first 0x24 bytes
             }
 
-            for (size_t i = safe; i < 0xa0; i++) {
+            for (size_t i = safe; i < pcmeta_body_len; i++) {
                 size_t msgdata_offset = content_offset + i - 0x24;
                 packet[0x36 + i] = VSR_PC_MSG_DATA[msgdata_offset];
             }
-- 
cgit v1.2.3