From 05cbd84ae02aff94f1845b84301d7200123f9330 Mon Sep 17 00:00:00 2001
From: swagtoy <me@ow.nekobit.net>
Date: Fri, 4 Oct 2024 04:45:09 -0400
Subject: [PATCH] Fix irrString use-after-free with char-like assignment
 (operator=)

---
 irr/include/irrString.h | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/irr/include/irrString.h b/irr/include/irrString.h
index 9d9b288d8..76e0548d3 100644
--- a/irr/include/irrString.h
+++ b/irr/include/irrString.h
@@ -173,13 +173,24 @@ public:
 			return *this;
 		}
 
-		// no longer allowed!
-		_IRR_DEBUG_BREAK_IF((void *)c == (void *)c_str());
+		if constexpr (sizeof(T) != sizeof(B)) {
+			_IRR_DEBUG_BREAK_IF(
+				(uintptr_t)c >= (uintptr_t)(str.data()) &&
+				(uintptr_t)c <  (uintptr_t)(str.data() + str.size()));
+		}
+
+		if ((void *)c == (void *)c_str())
+			return *this;
 
 		u32 len = calclen(c);
-		str.resize(len);
+		// In case `c` is a pointer to our own buffer, we may not resize first
+		// or it can become invalid.
+		if (len > str.size())
+			str.resize(len);
 		for (u32 l = 0; l < len; ++l)
-			str[l] = (T)c[l];
+			str[l] = static_cast<T>(c[l]);
+		if (len < str.size())
+			str.resize(len);
 
 		return *this;
 	}