From 1a1112b4c1be9fc375f3dde0075b917e5432847e Mon Sep 17 00:00:00 2001 From: "Richard C. Gobeille" Date: Mon, 4 May 2020 19:11:56 -0700 Subject: [PATCH] Duke3d: fix OOB memory access in CON_FOR --- source/duke3d/src/gameexec.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/source/duke3d/src/gameexec.cpp b/source/duke3d/src/gameexec.cpp index 1f9884e6a..cd28e8742 100644 --- a/source/duke3d/src/gameexec.cpp +++ b/source/duke3d/src/gameexec.cpp @@ -2743,7 +2743,7 @@ GAMEEXEC_STATIC void VM_Execute(int const loop /*= false*/) case ITER_ALLSPRITESBYSTAT: for (native_t statNum = 0; statNum < MAXSTATUS; ++statNum) { - for (native_t jj = headspritestat[statNum], kk = nextspritestat[jj]; jj >= 0; jj = kk, kk = nextspritestat[jj]) + for (native_t kk, SPRITES_OF_STAT_SAFE(statNum, jj, kk)) CON_FOR_ITERATION(); } break; @@ -2751,7 +2751,7 @@ GAMEEXEC_STATIC void VM_Execute(int const loop /*= false*/) case ITER_ALLSPRITESBYSECT: for (native_t sectNum = 0; sectNum < numsectors; ++sectNum) { - for (native_t jj = headspritesect[sectNum], kk = nextspritesect[jj]; jj >= 0; jj = kk, kk = nextspritesect[jj]) + for (native_t kk, SPRITES_OF_SECT_SAFE(sectNum, jj, kk)) CON_FOR_ITERATION(); } break; @@ -2786,7 +2786,7 @@ GAMEEXEC_STATIC void VM_Execute(int const loop /*= false*/) if ((unsigned)nIndex >= MAXSECTORS) goto badindex; - for (native_t jj = headspritesect[nIndex], kk = nextspritesect[jj]; jj >= 0; jj = kk, kk = nextspritesect[jj]) + for (native_t kk, SPRITES_OF_SECT_SAFE(nIndex, jj, kk)) CON_FOR_ITERATION(); break; @@ -2794,7 +2794,7 @@ GAMEEXEC_STATIC void VM_Execute(int const loop /*= false*/) if ((unsigned)nIndex >= MAXSTATUS) goto badindex; - for (native_t jj = headspritestat[nIndex], kk = nextspritestat[jj]; jj >= 0; jj = kk, kk = nextspritestat[jj]) + for (native_t kk, SPRITES_OF_STAT_SAFE(nIndex, jj, kk)) CON_FOR_ITERATION(); break;