mirror of
https://github.com/ZDoom/raze-gles.git
synced 2024-12-24 02:30:46 +00:00
Fix potential out-of-bounds array access in P_DisplayTip (happened with
WGR2 SVN, so not sure where there's a tipping animation there). git-svn-id: https://svn.eduke32.com/eduke32@2171 1a8010ca-5511-0410-912e-c29ae57300e0
This commit is contained in:
parent
3ca41992dd
commit
cd6e846fac
1 changed files with 9 additions and 2 deletions
|
@ -2231,7 +2231,7 @@ void P_DisplayScuba(int32_t snum)
|
|||
|
||||
static int32_t P_DisplayTip(int32_t gs,int32_t snum)
|
||||
{
|
||||
int32_t p,looking_arc;
|
||||
int32_t p,looking_arc, i, tipy;
|
||||
static int16_t tip_y[] = {0,-8,-16,-32,-64,-84,-108,-108,-108,-108,-108,-108,-108,-108,-108,-108,-96,-72,-64,-32,-16};
|
||||
|
||||
if (g_player[snum].ps->tipincs == 0) return 0;
|
||||
|
@ -2249,8 +2249,15 @@ static int32_t P_DisplayTip(int32_t gs,int32_t snum)
|
|||
else
|
||||
p = wall[g_player[snum].ps->access_wallnum].pal;
|
||||
*/
|
||||
|
||||
// FIXME?
|
||||
// OOB access of tip_y[] happens in 'Spider Den' of WGR2 SVN r72
|
||||
i = g_player[snum].ps->tipincs;
|
||||
tipy = ((unsigned)i < sizeof(tip_y)/sizeof(tip_y[0])) ? (tip_y[i]>>1) : 0;
|
||||
|
||||
G_DrawTileScaled(170+(g_player[snum].sync->avel>>4)-(g_player[snum].ps->look_ang>>1),
|
||||
(tip_y[g_player[snum].ps->tipincs]>>1)+looking_arc+240-((g_player[snum].ps->horiz-g_player[snum].ps->horizoff)>>4),TIP+((26-g_player[snum].ps->tipincs)>>4),gs,262144,p);
|
||||
tipy+looking_arc+240-((g_player[snum].ps->horiz-g_player[snum].ps->horizoff)>>4),
|
||||
TIP+((26-g_player[snum].ps->tipincs)>>4),gs,262144,p);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue