From 6ba33a39e501a811cc6516c8ea26cfb4458404a9 Mon Sep 17 00:00:00 2001 From: Lactozilla Date: Tue, 28 Jan 2025 20:29:51 -0300 Subject: [PATCH] Check if patch data is valid before creating it --- src/console.c | 2 ++ src/hardware/hw_cache.c | 9 ++++--- src/r_patch.c | 10 +++---- src/r_patch.h | 2 +- src/r_picformats.c | 58 ++++++++++++++++++++--------------------- src/r_picformats.h | 4 +-- src/r_textures.c | 4 +++ src/w_wad.c | 7 +++-- 8 files changed, 52 insertions(+), 44 deletions(-) diff --git a/src/console.c b/src/console.c index 50ecfec9c..f6d1fc2a2 100644 --- a/src/console.c +++ b/src/console.c @@ -1737,6 +1737,8 @@ static void CON_DrawBackpic(void) // Cache the patch. con_backpic = W_CachePatchNum(piclump, PU_PATCH); + if (con_backpic == NULL) + return; // Center the backpic, and draw a vertically cropped patch. w = con_backpic->width * vid.dup; diff --git a/src/hardware/hw_cache.c b/src/hardware/hw_cache.c index b71bf7007..d402fbadc 100644 --- a/src/hardware/hw_cache.c +++ b/src/hardware/hw_cache.c @@ -483,10 +483,13 @@ static void HWR_GenerateTexture(INT32 texnum, GLMapTexture_t *grtex, GLMipmap_t realpatch = W_CachePatchNumPwad(wadnum, lumpnum, PU_PATCH); } - HWR_DrawTexturePatchInCache(mipmap, blockwidth, blockheight, texture, patch, realpatch); + if (realpatch != NULL) + { + HWR_DrawTexturePatchInCache(mipmap, blockwidth, blockheight, texture, patch, realpatch); - if (free_patch) - Patch_Free(realpatch); + if (free_patch) + Patch_Free(realpatch); + } } //Hurdler: not efficient at all but I don't remember exactly how HWR_DrawPatchInCache works :( if (format2bpp(mipmap->format)==4) diff --git a/src/r_patch.c b/src/r_patch.c index 19e66404f..cdb6f299a 100644 --- a/src/r_patch.c +++ b/src/r_patch.c @@ -31,14 +31,12 @@ patch_t *Patch_Create(INT16 width, INT16 height) return patch; } -patch_t *Patch_CreateFromDoomPatch(softwarepatch_t *source) +patch_t *Patch_CreateFromDoomPatch(softwarepatch_t *source, size_t insize) { - patch_t *patch = Patch_Create(0, 0); - if (!source) - return patch; + if (!Picture_CheckIfDoomPatch(source, insize)) + return NULL; - patch->width = SHORT(source->width); - patch->height = SHORT(source->height); + patch_t *patch = Patch_Create(SHORT(source->width), SHORT(source->height)); patch->leftoffset = SHORT(source->leftoffset); patch->topoffset = SHORT(source->topoffset); diff --git a/src/r_patch.h b/src/r_patch.h index ff76254e8..d47329421 100644 --- a/src/r_patch.h +++ b/src/r_patch.h @@ -19,7 +19,7 @@ // Patch functions patch_t *Patch_Create(INT16 width, INT16 height); -patch_t *Patch_CreateFromDoomPatch(softwarepatch_t *source); +patch_t *Patch_CreateFromDoomPatch(softwarepatch_t *source, size_t insize); void Patch_CalcDataSizes(softwarepatch_t *source, size_t *total_pixels, size_t *total_posts); void Patch_MakeColumns(softwarepatch_t *source, size_t num_columns, INT16 width, UINT8 *pixels, column_t *columns, post_t *posts, boolean flip); void Patch_Free(patch_t *patch); diff --git a/src/r_picformats.c b/src/r_picformats.c index a45c143b0..22ae1dde8 100644 --- a/src/r_picformats.c +++ b/src/r_picformats.c @@ -87,7 +87,12 @@ void *Picture_Convert( (void)insize; if (Picture_IsPatchFormat(outformat)) - return Picture_PatchConvert(informat, picture, outformat, outsize, inwidth, inheight, inleftoffset, intopoffset, flags); + { + void *converted = Picture_PatchConvert(informat, insize, picture, outformat, outsize, inwidth, inheight, inleftoffset, intopoffset, flags); + if (converted == NULL) + I_Error("Picture_Convert: conversion to patch did not result in a valid graphic"); + return converted; + } else if (Picture_IsFlatFormat(outformat)) return Picture_FlatConvert(informat, picture, outformat, outsize, inwidth, intopoffset, flags); else @@ -235,8 +240,8 @@ static void *WritePatchPixel_i8o8(void *ptr, void *input) * \return A pointer to the converted picture. */ void *Picture_PatchConvert( - pictureformat_t informat, void *picture, pictureformat_t outformat, - size_t *outsize, + pictureformat_t informat, size_t insize, void *picture, + pictureformat_t outformat, size_t *outsize, INT32 inwidth, INT32 inheight, INT32 inleftoffset, INT32 intopoffset, pictureflags_t flags) { @@ -245,7 +250,7 @@ void *Picture_PatchConvert( { if (outsize != NULL) *outsize = sizeof(patch_t); - return Patch_CreateFromDoomPatch(picture); + return Patch_CreateFromDoomPatch(picture, insize); } INT32 outbpp = Picture_FormatBPP(outformat); @@ -799,47 +804,38 @@ boolean Picture_IsFlatFormat(pictureformat_t format) } /** Returns true if the lump is a valid Doom patch. - * PICFMT_DOOMPATCH only. * * \param patch Input patch. * \param picture Input patch size. - * \return True if the input patch is valid. + * \return True if the input patch is valid, false if not. */ boolean Picture_CheckIfDoomPatch(softwarepatch_t *patch, size_t size) { - INT16 width, height; - boolean result; - - // minimum length of a valid Doom patch + // Minimum length of a valid Doom patch if (size < 13) return false; - width = SHORT(patch->width); - height = SHORT(patch->height); - result = (height > 0 && height <= 16384 && width > 0 && width <= 16384); + INT16 width = SHORT(patch->width); + INT16 height = SHORT(patch->height); + if (width <= 0 || height <= 0) + return false; - if (result) + // The dimensions seem like they might be valid for a patch, so + // check the column directory for extra security. All columns + // must begin after the column directory, and none of them must + // point past the end of the patch. + for (INT16 x = 0; x < width; x++) { - // The dimensions seem like they might be valid for a patch, so - // check the column directory for extra security. All columns - // must begin after the column directory, and none of them must - // point past the end of the patch. - INT16 x; + UINT32 ofs = LONG(patch->columnofs[x]); - for (x = 0; x < width; x++) + // Need one byte for an empty column (but there's patches that don't know that!) + if (ofs < (UINT32)width * 4 + 8 || ofs >= (UINT32)size) { - UINT32 ofs = LONG(patch->columnofs[x]); - - // Need one byte for an empty column (but there's patches that don't know that!) - if (ofs < (UINT32)width * 4 + 8 || ofs >= (UINT32)size) - { - result = false; - break; - } + return false; } } - return result; + return true; } /** Converts a texture to a flat. @@ -1373,7 +1369,9 @@ void *Picture_PNGConvert( } // Now, convert it! - converted = Picture_PatchConvert(informat, flat, outformat, outsize, (INT32)width, (INT32)height, *leftoffset, *topoffset, flags); + converted = Picture_PatchConvert(informat, flatsize, flat, outformat, outsize, (INT32)width, (INT32)height, *leftoffset, *topoffset, flags); + if (converted == NULL) + I_Error("Picture_PNGConvert: conversion to patch did not result in a valid graphic"); Z_Free(flat); return converted; } diff --git a/src/r_picformats.h b/src/r_picformats.h index 123dda976..273af4376 100644 --- a/src/r_picformats.h +++ b/src/r_picformats.h @@ -62,8 +62,8 @@ void *Picture_Convert( pictureflags_t flags); void *Picture_PatchConvert( - pictureformat_t informat, void *picture, pictureformat_t outformat, - size_t *outsize, + pictureformat_t informat, size_t insize, void *picture, + pictureformat_t outformat, size_t *outsize, INT32 inwidth, INT32 inheight, INT32 inleftoffset, INT32 intopoffset, pictureflags_t flags); void *Picture_FlatConvert( diff --git a/src/r_textures.c b/src/r_textures.c index 4c52f75eb..e988fed1d 100644 --- a/src/r_textures.c +++ b/src/r_textures.c @@ -430,6 +430,10 @@ UINT8 *R_GenerateTexture(size_t texnum) realpatch = W_CachePatchNumPwad(wadnum, lumpnum, PU_PATCH); } + // Well, it's not valid... + if (realpatch == NULL) + continue; + x1 = patch->originx; width = realpatch->width; height = realpatch->height; diff --git a/src/w_wad.c b/src/w_wad.c index 50ba622a9..fd5f7d004 100644 --- a/src/w_wad.c +++ b/src/w_wad.c @@ -2383,9 +2383,12 @@ static void *W_GetPatchPwad(UINT16 wad, UINT16 lump, INT32 tag) #endif } - dest = Patch_CreateFromDoomPatch(ptr); + dest = Patch_CreateFromDoomPatch(ptr, len); Z_Free(ptr); + if (dest == NULL) + return NULL; + Z_ChangeTag(dest, tag); Z_SetUser(dest, &lumpcache[lump]); } @@ -2403,7 +2406,7 @@ void *W_CachePatchNumPwad(UINT16 wad, UINT16 lump, INT32 tag) patch_t *patch = W_GetPatchPwad(wad, lump, tag); #ifdef HWRENDER - if (rendermode == render_opengl) + if (patch != NULL && rendermode == render_opengl) Patch_CreateGL(patch); #endif