From ba858b38583379d02bcf7f04c925af6be77dcdd5 Mon Sep 17 00:00:00 2001 From: helixhorned Date: Sun, 11 Dec 2011 13:26:39 +0000 Subject: [PATCH] Fix a number of oob accesses with "switch switches". Various code checked for switch tiles in the following manner, for (ii=0; ii<2; ii++) switch (DynamicTileMap[sprite[i].picnum-1+ii]) { case SOME_SWITCH: ... } which blows for picnum 0. Now, we simply disallow it. git-svn-id: https://svn.eduke32.com/eduke32@2174 1a8010ca-5511-0410-912e-c29ae57300e0 --- polymer/eduke32/source/actors.c | 9 +++++++++ polymer/eduke32/source/premap.c | 3 +++ polymer/eduke32/source/sector.c | 11 +++++++---- 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/polymer/eduke32/source/actors.c b/polymer/eduke32/source/actors.c index 23f9a548b..ef53368ee 100644 --- a/polymer/eduke32/source/actors.c +++ b/polymer/eduke32/source/actors.c @@ -8045,6 +8045,10 @@ inline int32_t A_CheckEnemySprite(spritetype *s) int32_t A_CheckSwitchTile(int32_t i) { int32_t j; + + if (PN <= 0) // picnum 0 would oob in the switch below + return 0; + //MULTISWITCH has 4 states so deal with it separately if ((PN >= MULTISWITCH) && (PN <=MULTISWITCH+3)) return 1; // ACCESSSWITCH and ACCESSSWITCH2 are only active in 1 state so deal with them separately @@ -8152,6 +8156,10 @@ void G_MoveWorld(void) } for (ii=0; ii<2; ii++) + { + if (sprite[i].picnum <= 0) // oob safety + break; + switch (DynamicTileMap[sprite[i].picnum-1+ii]) { case DIPSWITCH__STATIC: @@ -8212,6 +8220,7 @@ void G_MoveWorld(void) } break; } + } switch (DynamicTileMap[sprite[i].picnum]) { diff --git a/polymer/eduke32/source/premap.c b/polymer/eduke32/source/premap.c index 165b5c9e0..6af01d654 100644 --- a/polymer/eduke32/source/premap.c +++ b/polymer/eduke32/source/premap.c @@ -1236,6 +1236,9 @@ static inline void prelevel(char g) int32_t dx, dy; int16_t sprsec; #endif + if (PN <= 0) // oob safety for switch below + continue; + for (ii=0; ii<2; ii++) switch (DynamicTileMap[PN-1+ii]) { diff --git a/polymer/eduke32/source/sector.c b/polymer/eduke32/source/sector.c index 4efedc980..f417689c9 100644 --- a/polymer/eduke32/source/sector.c +++ b/polymer/eduke32/source/sector.c @@ -1293,7 +1293,6 @@ int32_t P_ActivateSwitch(int32_t snum,int32_t w,int32_t switchtype) } switch (DynamicTileMap[switchpicnum]) { - case DIPSWITCH__STATIC: case TECHSWITCH__STATIC: case ALIENSWITCH__STATIC: @@ -1319,9 +1318,11 @@ int32_t P_ActivateSwitch(int32_t snum,int32_t w,int32_t switchtype) sprite[i].picnum++; break; default: + if (switchpicnum <= 0) // oob safety + break; + switch (DynamicTileMap[switchpicnum-1]) { - case TECHSWITCH__STATIC: case DIPSWITCH__STATIC: case ALIENSWITCH__STATIC: @@ -1363,9 +1364,9 @@ int32_t P_ActivateSwitch(int32_t snum,int32_t w,int32_t switchtype) wall[x].picnum = MULTISWITCH; } + switch (DynamicTileMap[wall[x].picnum]) { - case DIPSWITCH__STATIC: case TECHSWITCH__STATIC: case ALIENSWITCH__STATIC: @@ -1391,9 +1392,11 @@ int32_t P_ActivateSwitch(int32_t snum,int32_t w,int32_t switchtype) wall[x].picnum++; break; default: + if (wall[x].picnum <= 0) // oob safety + break; + switch (DynamicTileMap[wall[x].picnum-1]) { - case TECHSWITCH__STATIC: case DIPSWITCH__STATIC: case ALIENSWITCH__STATIC: