From 15cbf4bae66359a3ffe9eb2b20b30ca31df39768 Mon Sep 17 00:00:00 2001 From: Christoph Oelckers Date: Tue, 4 Oct 2016 09:28:19 +0200 Subject: [PATCH] - fixed: DecoHandleRuntimeState must check all parent classes when trying to determine if the target is a valid state. It should also ensure that both the calling and target state belong to the same actor. Although unlikely it cannot be entirely ruled out that a bogus index randomly points to a seemingly valid state elsewhere. --- src/thingdef/thingdef_expression.cpp | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/src/thingdef/thingdef_expression.cpp b/src/thingdef/thingdef_expression.cpp index 700ac94bbb..c2b2d25e68 100644 --- a/src/thingdef/thingdef_expression.cpp +++ b/src/thingdef/thingdef_expression.cpp @@ -4956,6 +4956,25 @@ FxExpression *FxRuntimeStateIndex::Resolve(FCompileContext &ctx) return this; } +static bool VerifyJumpTarget(AActor *stateowner, FStateParamInfo *stateinfo, int index) +{ + PClassActor *cls = stateowner->GetClass(); + + while (cls != RUNTIME_CLASS(AActor)) + { + // both calling and target state need to belong to the same class. + if (cls->OwnsState(stateinfo->mCallingState)) + { + return cls->OwnsState(stateinfo->mCallingState + index); + } + + // We can safely assume the ParentClass is of type PClassActor + // since we stop when we see the Actor base class. + cls = static_cast(cls->ParentClass); + } + return false; +} + static int DecoHandleRuntimeState(VMFrameStack *stack, VMValue *param, int numparam, VMReturn *ret, int numret) { PARAM_PROLOGUE; @@ -4963,7 +4982,7 @@ static int DecoHandleRuntimeState(VMFrameStack *stack, VMValue *param, int numpa PARAM_POINTER(stateinfo, FStateParamInfo); PARAM_INT(index); - if (index == 0 || !stateowner->GetClass()->OwnsState(stateinfo->mCallingState + index)) + if (index == 0 || !VerifyJumpTarget(stateowner, stateinfo, index)) { // Null is returned if the location was invalid which means that no jump will be performed // if used as return value