mirror of
https://github.com/ZDoom/raze-gles.git
synced 2024-12-24 10:40:46 +00:00
Fix potential out-of-bounds array access in P_DisplayTip (happened with
WGR2 SVN, so not sure where there's a tipping animation there). git-svn-id: https://svn.eduke32.com/eduke32@2171 1a8010ca-5511-0410-912e-c29ae57300e0
This commit is contained in:
parent
3ca41992dd
commit
cd6e846fac
1 changed files with 9 additions and 2 deletions
|
@ -2231,7 +2231,7 @@ void P_DisplayScuba(int32_t snum)
|
||||||
|
|
||||||
static int32_t P_DisplayTip(int32_t gs,int32_t snum)
|
static int32_t P_DisplayTip(int32_t gs,int32_t snum)
|
||||||
{
|
{
|
||||||
int32_t p,looking_arc;
|
int32_t p,looking_arc, i, tipy;
|
||||||
static int16_t tip_y[] = {0,-8,-16,-32,-64,-84,-108,-108,-108,-108,-108,-108,-108,-108,-108,-108,-96,-72,-64,-32,-16};
|
static int16_t tip_y[] = {0,-8,-16,-32,-64,-84,-108,-108,-108,-108,-108,-108,-108,-108,-108,-108,-96,-72,-64,-32,-16};
|
||||||
|
|
||||||
if (g_player[snum].ps->tipincs == 0) return 0;
|
if (g_player[snum].ps->tipincs == 0) return 0;
|
||||||
|
@ -2249,8 +2249,15 @@ static int32_t P_DisplayTip(int32_t gs,int32_t snum)
|
||||||
else
|
else
|
||||||
p = wall[g_player[snum].ps->access_wallnum].pal;
|
p = wall[g_player[snum].ps->access_wallnum].pal;
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
// FIXME?
|
||||||
|
// OOB access of tip_y[] happens in 'Spider Den' of WGR2 SVN r72
|
||||||
|
i = g_player[snum].ps->tipincs;
|
||||||
|
tipy = ((unsigned)i < sizeof(tip_y)/sizeof(tip_y[0])) ? (tip_y[i]>>1) : 0;
|
||||||
|
|
||||||
G_DrawTileScaled(170+(g_player[snum].sync->avel>>4)-(g_player[snum].ps->look_ang>>1),
|
G_DrawTileScaled(170+(g_player[snum].sync->avel>>4)-(g_player[snum].ps->look_ang>>1),
|
||||||
(tip_y[g_player[snum].ps->tipincs]>>1)+looking_arc+240-((g_player[snum].ps->horiz-g_player[snum].ps->horizoff)>>4),TIP+((26-g_player[snum].ps->tipincs)>>4),gs,262144,p);
|
tipy+looking_arc+240-((g_player[snum].ps->horiz-g_player[snum].ps->horizoff)>>4),
|
||||||
|
TIP+((26-g_player[snum].ps->tipincs)>>4),gs,262144,p);
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue