From 0b055de591e9652fc90c540e5935abc1d531e06f Mon Sep 17 00:00:00 2001
From: helixhorned <helixhorned@1a8010ca-5511-0410-912e-c29ae57300e0>
Date: Sun, 13 May 2012 16:05:34 +0000
Subject: [PATCH] Add tilenum bound check to CON *actor blocks when parsing,
 fix the other ones.

The remaining checks now "continue;" when an oob tilenum is found where
an oob access would ensue else.  Also, it's now checked for negative
numbers (the message remains the same though).

git-svn-id: https://svn.eduke32.com/eduke32@2651 1a8010ca-5511-0410-912e-c29ae57300e0
---
 polymer/eduke32/source/gamedef.c | 33 +++++++++++++++++++++-----------
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/polymer/eduke32/source/gamedef.c b/polymer/eduke32/source/gamedef.c
index a520ec6d4..b20a4756b 100644
--- a/polymer/eduke32/source/gamedef.c
+++ b/polymer/eduke32/source/gamedef.c
@@ -2693,6 +2693,13 @@ static int32_t C_ParseCommand(int32_t loop)
             C_GetNextValue(LABEL_DEFINE);
             g_scriptPtr--;
 
+            if ((unsigned)*g_scriptPtr >= MAXTILES)
+            {
+                C_ReportError(ERROR_EXCEEDSMAXTILES);
+                g_numCompilerErrors++;
+                continue;
+            }
+
             if (tw == CON_EVENTLOADACTOR)
             {
                 actorLoadEventScrptr[*g_scriptPtr] = g_parsingActorPtr;
@@ -3944,17 +3951,18 @@ static int32_t C_ParseCommand(int32_t loop)
                 C_GetNextValue(LABEL_DEFINE);
                 j = *(g_scriptPtr-1);
 
-                if (j > MAXTILES-1)
-                {
-                    C_ReportError(ERROR_EXCEEDSMAXTILES);
-                    g_numCompilerErrors++;
-                }
-
                 C_GetNextValue(LABEL_DEFINE);
                 y = *(g_scriptPtr-1);
                 C_GetNextValue(LABEL_DEFINE);
                 z = *(g_scriptPtr-1);
 
+                if ((unsigned)j >= MAXTILES)
+                {
+                    C_ReportError(ERROR_EXCEEDSMAXTILES);
+                    g_numCompilerErrors++;
+                    continue;
+                }
+
                 switch (y)
                 {
                 case PROJ_WORKSLIKE:
@@ -4029,14 +4037,16 @@ static int32_t C_ParseCommand(int32_t loop)
                 g_scriptPtr--;
                 j = *g_scriptPtr;
 
-                if (j > MAXTILES-1)
+                C_GetNextValue(LABEL_DEFINE);
+                g_scriptPtr--;
+
+                if ((unsigned)j >= MAXTILES)
                 {
                     C_ReportError(ERROR_EXCEEDSMAXTILES);
                     g_numCompilerErrors++;
+                    continue;
                 }
 
-                C_GetNextValue(LABEL_DEFINE);
-                g_scriptPtr--;
                 SpriteFlags[j] = *g_scriptPtr;
 
                 continue;
@@ -4061,10 +4071,11 @@ static int32_t C_ParseCommand(int32_t loop)
             g_scriptPtr--;
             j = *g_scriptPtr;
 
-            if (j > MAXTILES-1)
+            if ((unsigned)j >= MAXTILES)
             {
                 C_ReportError(ERROR_EXCEEDSMAXTILES);
                 g_numCompilerErrors++;
+                continue;
             }
 
             switch (tw)
@@ -4086,7 +4097,7 @@ static int32_t C_ParseCommand(int32_t loop)
                 C_GetNextValue(LABEL_DEFINE);
                 g_scriptPtr--;
                 i = *g_scriptPtr;
-                if (i > MAXTILES-1)
+                if ((unsigned)i >= MAXTILES)
                 {
                     C_ReportError(ERROR_EXCEEDSMAXTILES);
                     g_numCompilerErrors++;