From cd6e846fac9ca74d2bbb973dc8c80bd159a20bdc Mon Sep 17 00:00:00 2001 From: helixhorned Date: Fri, 9 Dec 2011 19:12:01 +0000 Subject: [PATCH] Fix potential out-of-bounds array access in P_DisplayTip (happened with WGR2 SVN, so not sure where there's a tipping animation there). git-svn-id: https://svn.eduke32.com/eduke32@2171 1a8010ca-5511-0410-912e-c29ae57300e0 --- polymer/eduke32/source/player.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/polymer/eduke32/source/player.c b/polymer/eduke32/source/player.c index f1524a4ba..89d44ef77 100644 --- a/polymer/eduke32/source/player.c +++ b/polymer/eduke32/source/player.c @@ -2231,7 +2231,7 @@ void P_DisplayScuba(int32_t snum) static int32_t P_DisplayTip(int32_t gs,int32_t snum) { - int32_t p,looking_arc; + int32_t p,looking_arc, i, tipy; static int16_t tip_y[] = {0,-8,-16,-32,-64,-84,-108,-108,-108,-108,-108,-108,-108,-108,-108,-108,-96,-72,-64,-32,-16}; if (g_player[snum].ps->tipincs == 0) return 0; @@ -2249,8 +2249,15 @@ static int32_t P_DisplayTip(int32_t gs,int32_t snum) else p = wall[g_player[snum].ps->access_wallnum].pal; */ + + // FIXME? + // OOB access of tip_y[] happens in 'Spider Den' of WGR2 SVN r72 + i = g_player[snum].ps->tipincs; + tipy = ((unsigned)i < sizeof(tip_y)/sizeof(tip_y[0])) ? (tip_y[i]>>1) : 0; + G_DrawTileScaled(170+(g_player[snum].sync->avel>>4)-(g_player[snum].ps->look_ang>>1), - (tip_y[g_player[snum].ps->tipincs]>>1)+looking_arc+240-((g_player[snum].ps->horiz-g_player[snum].ps->horizoff)>>4),TIP+((26-g_player[snum].ps->tipincs)>>4),gs,262144,p); + tipy+looking_arc+240-((g_player[snum].ps->horiz-g_player[snum].ps->horizoff)>>4), + TIP+((26-g_player[snum].ps->tipincs)>>4),gs,262144,p); return 1; }