Halflife: Buffer overflows in demo parsing

There are at least two buffer overflows in demo parsing which can be used to execute malicious code upon invoking playdemo on a specifically constructed demo file. They work in latest Steam GoldSource games for both Windows and Linux. I don't have an OSX machine, but they most likely work there as well.

The first one is inside CL_DemoParseSound(): first, an integer sample length is read, then _length_ bytes are read into a 256-byte long buffer (char sample[256]) without any boundary checking. The function then additionally sets the byte after the last one read to '0'. If the length is made to be more than 255, other data up the stack will get overridden, including the saved EIP. Here's a PoC demo that makes the engine jump to 0xBADC0DE when playdemo'd (Windows, latest Steam GoldSource game): https://mega.nz/#!ZF5gEDyR!R2eyOW53BuRGhoeUIL1OmA51loBQ1t-oL0-eX8TB3Ao

The second one is inside the custom demo buffer frame parsing and is of the same nature, the integer length is read, then _length_ bytes are read into a 32768-byte long buffer without any boundary checking. Here's a PoC demo for this one (Windows, latest Steam GoldSource game): https://mega.nz/#!9M4xTRiK!qZcBq3F4WiEvppNHlk5Ons6MOtbnHlXC6PzsWKqo87U

To players: be careful playing back demos you got from untrusted sources. I made a simple tool that neutralizes those two types of buffer overflows in demos, you can get it here: https://github.com/YaLTeR/DemTools/releases/tag/1