Bound-check the 'picnum' argument to rotatesprite; tweak CON digitalnumber check.

There are instances where oob picnums may propagate to that function, so
protect it.  The digitanumber[z] bound check is actually made more permissive,
but could also just as well be removed now.

git-svn-id: https://svn.eduke32.com/eduke32@2533 1a8010ca-5511-0410-912e-c29ae57300e0
This commit is contained in:
helixhorned 2012-03-25 22:01:21 +00:00
parent 6cd11d0468
commit b897a59d82
2 changed files with 5 additions and 1 deletions

View file

@ -13333,6 +13333,9 @@ void rotatesprite(int32_t sx, int32_t sy, int32_t z, int16_t a, int16_t picnum,
int32_t i; int32_t i;
permfifotype *per, *per2; permfifotype *per, *per2;
if ((unsigned)picnum >= MAXTILES)
return;
if ((cx1 > cx2) || (cy1 > cy2)) return; if ((cx1 > cx2) || (cy1 > cy2)) return;
if (z <= 16) return; if (z <= 16) return;
if (picanm[picnum]&192) picnum += animateoffs(picnum,(int16_t)0xc000); if (picanm[picnum]&192) picnum += animateoffs(picnum,(int16_t)0xc000);

View file

@ -2454,7 +2454,8 @@ nullquote:
int32_t x2=Gv_GetVarX(*insptr++), y2=Gv_GetVarX(*insptr++); int32_t x2=Gv_GetVarX(*insptr++), y2=Gv_GetVarX(*insptr++);
int32_t z = (tw == CON_DIGITALNUMBERZ) ? Gv_GetVarX(*insptr++) : 65536; int32_t z = (tw == CON_DIGITALNUMBERZ) ? Gv_GetVarX(*insptr++) : 65536;
if (tilenum < 0 || tilenum+'9' >= MAXTILES) // NOTE: '-' not taken into account, but we have rotatesprite() bound check now anyway
if (tilenum < 0 || tilenum+9 >= MAXTILES)
{ {
OSD_Printf(CON_ERROR "invalid base tilenum %d\n", g_errorLineNum, keyw[g_tw], tilenum); OSD_Printf(CON_ERROR "invalid base tilenum %d\n", g_errorLineNum, keyw[g_tw], tilenum);
continue; continue;