From b6475100d773096b747c720fec62772f9de8c103 Mon Sep 17 00:00:00 2001 From: helixhorned Date: Mon, 28 Oct 2013 21:26:32 +0000 Subject: [PATCH] In G_SaveMapState, fix 1024-byte write beyond array bound on 64-bit platforms. This was caused by mismatched for types mapstate_t's animateptr[] and the global one (int32_t vs. int32_t *). Bump BYTEVERSION. git-svn-id: https://svn.eduke32.com/eduke32@4125 1a8010ca-5511-0410-912e-c29ae57300e0 --- polymer/eduke32/source/duke3d.h | 2 +- polymer/eduke32/source/gameexec.c | 4 ++++ polymer/eduke32/source/sector.h | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/polymer/eduke32/source/duke3d.h b/polymer/eduke32/source/duke3d.h index 3ae5f2bcc..65e9b599b 100644 --- a/polymer/eduke32/source/duke3d.h +++ b/polymer/eduke32/source/duke3d.h @@ -62,7 +62,7 @@ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # define BYTEVERSION_JF 288 #else // Non-Lua build -# define BYTEVERSION_JF 285 +# define BYTEVERSION_JF 288 #endif #define BYTEVERSION_13 27 diff --git a/polymer/eduke32/source/gameexec.c b/polymer/eduke32/source/gameexec.c index 9678a328a..13ee94a63 100644 --- a/polymer/eduke32/source/gameexec.c +++ b/polymer/eduke32/source/gameexec.c @@ -5535,6 +5535,10 @@ void G_SaveMapState(void) Bmemcpy(&save->animateptr[0],&animateptr[0],sizeof(animateptr)); G_Util_PtrToIdx(animateptr, g_animateCount, sector, P2I_BACK); + { + EDUKE32_STATIC_ASSERT(sizeof(save->animateptr) == sizeof(animateptr)); + } + Bmemcpy(&save->g_numPlayerSprites,&g_numPlayerSprites,sizeof(g_numPlayerSprites)); Bmemcpy(&save->g_earthquakeTime,&g_earthquakeTime,sizeof(g_earthquakeTime)); Bmemcpy(&save->lockclock,&lockclock,sizeof(lockclock)); diff --git a/polymer/eduke32/source/sector.h b/polymer/eduke32/source/sector.h index c6f7a12a6..3683afa64 100644 --- a/polymer/eduke32/source/sector.h +++ b/polymer/eduke32/source/sector.h @@ -40,7 +40,7 @@ typedef struct { // this needs to have a copy of everything related to the map/actor state // see savegame.c int32_t animategoal[MAXANIMATES], animatevel[MAXANIMATES], g_animateCount; - int32_t animateptr[MAXANIMATES]; + intptr_t animateptr[MAXANIMATES]; int32_t lockclock; int32_t msx[2048], msy[2048]; int32_t randomseed, g_globalRandom;