From 9d9771578247de6bb0b736feec11fd99ca510108 Mon Sep 17 00:00:00 2001 From: Spoike Date: Sat, 17 May 2014 15:40:50 +0000 Subject: [PATCH] make sure .framegroups can't use poses out of bounds. git-svn-id: https://svn.code.sf.net/p/fteqw/code/trunk@4661 fc73d0e0-1445-4013-8a0c-d673dee63da5 --- engine/common/com_mesh.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/engine/common/com_mesh.c b/engine/common/com_mesh.c index b0192bd20..09a24818e 100644 --- a/engine/common/com_mesh.c +++ b/engine/common/com_mesh.c @@ -2225,8 +2225,8 @@ void Mod_CompileTriangleNeighbours(galiasinfo_t *galias) typedef struct { - int firstpose; - int posecount; + unsigned int firstpose; + unsigned int posecount; float fps; qboolean loop; char name[MAX_QPATH]; @@ -5346,7 +5346,15 @@ qboolean QDECL Mod_LoadPSKModel(model_t *mod, void *buffer, size_t fsize) animmatrix = (float*)(group+numgroups); for (j = 0; j < numgroups; j++) { - //FIXME: bound check + /*bound check*/ + if (frameinfo[j].firstpose+frameinfo[j].posecount > num_animkeys) + frameinfo[j].posecount = num_animkeys - frameinfo[j].firstpose; + if (frameinfo[j].firstpose >= num_animkeys) + { + frameinfo[j].firstpose = 0; + frameinfo[j].posecount = 1; + } + group[j].boneofs = animmatrix + 12*num_boneinfo*frameinfo[j].firstpose; group[j].numposes = frameinfo[j].posecount; if (*frameinfo[j].name) @@ -6277,9 +6285,11 @@ galiasinfo_t *Mod_ParseIQMMeshModel(model_t *mod, char *buffer) //now generate the animations. for (i = 0; i < numgroups; i++) { - if ((unsigned)framegroups[i].firstpose >= h->num_frames) + if (framegroups[i].firstpose + framegroups[i].posecount > h->num_frames) + framegroups[i].posecount = h->num_frames - framegroups[i].firstpose; + if (framegroups[i].firstpose >= h->num_frames) { - //invalid/basepose + //invalid/basepose. fgroup[i].skeltype = SKEL_ABSOLUTE; fgroup[i].boneofs = oposebase; fgroup[i].numposes = 1; @@ -6290,6 +6300,7 @@ galiasinfo_t *Mod_ParseIQMMeshModel(model_t *mod, char *buffer) fgroup[i].boneofs = opose + framegroups[i].firstpose*12*h->num_poses; fgroup[i].numposes = framegroups[i].posecount; } + fgroup[i].loop = framegroups[i].loop; fgroup[i].rate = framegroups[i].fps; Q_strncpyz(fgroup[i].name, framegroups[i].name, sizeof(fgroup[i].name));