zdoom/raze-gles
0
0
Fork 0
mirror of https://github.com/ZDoom/raze-gles.git synced 2024-11-10 23:02:03 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix potential (certain?) oob access with ST28/SE21.

Browse source 
Encountered with Scent.map.  Since the SE21 are deleted after they have
been used, the search for them in the ST28 code in sector.c may come up
empty, in which case sector[-1] would be accessed.

git-svn-id: https://svn.eduke32.com/eduke32@2377 1a8010ca-5511-0410-912e-c29ae57300e0
This commit is contained in:
helixhorned 2012-02-21 19:32:55 +00:00
parent e18063beb8
commit 0f933a8522
2 changed files with 14 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
polymer/eduke32/source/actors.c
View file

@ -7123,7 +7123,7 @@ ACTOR_STATIC void G_MoveEffectors(void) //STATNUM 3
if (klabs(*zptr-s->z) < 1024)
{
*zptr = s->z;
KILLIT(i); //All done
KILLIT(i); //All done // SE_21_KILLIT, see sector.c
}
}
else sc->extra--;

22
polymer/eduke32/source/sector.c
View file

@ -963,22 +963,26 @@ REDODOOR:
j = headspritesect[sn];
while (j >= 0)
{
if (sprite[j].statnum==3 && (sprite[j].lotag&0xff)==21)
if (sprite[j].statnum==STAT_EFFECTOR && (sprite[j].lotag&0xff)==21)
break; //Found it
j = nextspritesect[j];
}
j = sprite[j].hitag;
l = headspritestat[STAT_EFFECTOR];
while (l >= 0)
if (j >= 0) // PK: The matching SE21 might have gone, see SE_21_KILLIT in actors.c
{
if ((sprite[l].lotag&0xff)==21 && !actor[l].t_data[0] &&
j = sprite[j].hitag;
l = headspritestat[STAT_EFFECTOR];
while (l >= 0)
{
if ((sprite[l].lotag&0xff)==21 && !actor[l].t_data[0] &&
(sprite[l].hitag) == j)
actor[l].t_data[0] = 1;
l = nextspritestat[l];
actor[l].t_data[0] = 1;
l = nextspritestat[l];
}
A_CallSound(sn,ii);
}
A_CallSound(sn,ii);
return;
}