From f1dab8604b8492f8a8b8bd5b0df2ac1d4a84dc63 Mon Sep 17 00:00:00 2001 From: Yan Sweitzer Date: Sun, 14 May 2000 20:29:32 +0000 Subject: [PATCH] crash fix in PR_ExecuteProgram() --- source/pr_exec.c | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/source/pr_exec.c b/source/pr_exec.c index 42dff85..cce3bac 100644 --- a/source/pr_exec.c +++ b/source/pr_exec.c @@ -400,10 +400,33 @@ while (1) s++; // next statement st = &pr_statements[s]; - a = (eval_t *)&pr_globals[st->a]; + + // NUM_GLOBALS in Mega2K qwprogs.dat got too big and crashes the server + // offsets are bigger than 32767 but encoded as signed shorts, resulting + // in negative indexs in pr_globals[], specifically with big maps such as + // frontlin.bsp. Since all arrays are static and contiguous in memory + // (one single alloc), data gets overwritten: + // + // pr_statements[60793].c = -32690 + // c = (eval_t *) &pr_globals[-32690]; + // c->_int = xxx overwrites the content of pr_functions[87] + // + // FIXME: this is a dirty crash fix. go 32 bits in progs.dat + + if (st->a & 0x8000) ofsa = (int)st->a + 0xFFFF; else ofsa = st->a; + if (st->b & 0x8000) ofsb = (int)st->b + 0xFFFF; else ofsb = st->b; + if (st->c & 0x8000) ofsc = (int)st->c + 0xFFFF; else ofsc = st->c; + + a = (eval_t *)&pr_globals[ofsa]; + b = (eval_t *)&pr_globals[ofsb]; + c = (eval_t *)&pr_globals[ofsc]; + + /* + a = (eval_t *)&pr_globals[st->a]; b = (eval_t *)&pr_globals[st->b]; c = (eval_t *)&pr_globals[st->c]; - + */ + if (--runaway == 0) PR_RunError ("runaway loop error");