polymost_printext256: fix oob read when passing negative 'col' or 'backcol'

values; check the color index that is potentially gotten from the string to be printed. git-svn-id: https://svn.eduke32.com/eduke32@2162 1a8010ca-5511-0410-912e-c29ae57300e0
2024-11-11 07:11:39 +00:00 · 2011-12-09 19:09:29 +00:00 · 2011-12-09 19:09:29 +00:00 · c7aa4592c2
commit c7aa4592c2
parent c112cdde89
1 changed files with 12 additions and 5 deletions
--- a/polymer/eduke32/build/src/polymost.c
+++ b/polymer/eduke32/build/src/polymost.c
@ -6047,20 +6047,25 @@ int32_t polymost_printext256(int32_t xpos, int32_t ypos, int16_t col, int16_t ba
    GLfloat tx, ty, txc, tyc;
    int32_t c;
    palette_t p,b;
+    int32_t arbackcol = backcol >= 0 ? backcol : 0;
+
+    // FIXME?
+    if (col < 0)
+        col = 0;

    if (gammabrightness)
    {
        p = curpalette[col];
-        b = curpalette[backcol];
+        b = curpalette[arbackcol];
    }
    else
    {
        p.r = britable[curbrightness][ curpalette[col].r ];
        p.g = britable[curbrightness][ curpalette[col].g ];
        p.b = britable[curbrightness][ curpalette[col].b ];
-        b.r = britable[curbrightness][ curpalette[backcol].r ];
-        b.g = britable[curbrightness][ curpalette[backcol].g ];
-        b.b = britable[curbrightness][ curpalette[backcol].b ];
+        b.r = britable[curbrightness][ curpalette[arbackcol].r ];
+        b.g = britable[curbrightness][ curpalette[arbackcol].g ];
+        b.b = britable[curbrightness][ curpalette[arbackcol].b ];
    }

    if ((rendmode < 3) || (qsetmode != 200)) return(-1);
@ -6157,7 +6162,9 @@ int32_t polymost_printext256(int32_t xpos, int32_t ypos, int16_t col, int16_t ba
                c++;
            }
            smallbuf[bi++]=0;
-            if (col)col = atol(smallbuf);
+            if (col)col = atol(smallbuf);  /* FIXME: atol is unsafe */
+            if ((unsigned)col >= 256)
+                col = 0;

            if (gammabrightness)
            {