Add string length checking to function COM_StripExtension. This fixes the R_RemapShader buffer overflow exploit that can be found here:

http://milw0rm.com/exploits/1750

code/qcommon/files.c

@@ -3451,7 +3451,7 @@ void	FS_FilenameCompletion( const char *dir, const char *ext,
 		Q_strncpyz( filename, filenames[ i ], MAX_STRING_CHARS );
 
 		if( stripExt ) {
-			COM_StripExtension( filename, filename );
+			COM_StripExtension(filename, filename, sizeof(filename));
 		}
 
 		callback( filename );

code/qcommon/q_shared.c

@@ -58,10 +58,10 @@ char *COM_SkipPath (char *pathname)
 COM_StripExtension
 ============
 */
-void COM_StripExtension( const char *in, char *out ) {
+void COM_StripExtension( const char *in, char *out, int destsize ) {
 	int             length;
 
-	strcpy( out, in );
+	Q_strncpyz(out, in, destsize);
 
 	length = strlen(out)-1;
 	while (length > 0 && out[length] != '.')

code/qcommon/q_shared.h

@@ -588,7 +588,7 @@ int Q_isnan( float x );
 float Com_Clamp( float min, float max, float value );
 
 char	*COM_SkipPath( char *pathname );
-void	COM_StripExtension( const char *in, char *out );
+void	COM_StripExtension(const char *in, char *out, int destsize);
 void	COM_DefaultExtension( char *path, int maxSize, const char *extension );
 
 void	COM_BeginParseSession( const char *name );

code/qcommon/vm.c

@@ -230,7 +230,7 @@ void VM_LoadSymbols( vm_t *vm ) {
 		return;
 	}
 
-	COM_StripExtension( vm->name, name );
+	COM_StripExtension(vm->name, name, sizeof(name));
 	Com_sprintf( symbols, sizeof( symbols ), "vm/%s.map", name );
 	len = FS_ReadFile( symbols, (void **)&mapfile );
 	if ( !mapfile ) {