From 0419e64c0adc497fb30297d42a192bfbf2672c69 Mon Sep 17 00:00:00 2001 From: helixhorned Date: Sat, 11 Jul 2015 14:13:04 +0000 Subject: [PATCH] Mapster32: fix a possible oob read via drawspritelabel; sanitize 2d3d mode. That is, in m32_is2d3dmode(), also check if 2d and 3d mode resultions are the same. Otherwise, oob writes (e.g. via tileinfo_doprint()) and other thinkable niceties may ensue. git-svn-id: https://svn.eduke32.com/eduke32@5291 1a8010ca-5511-0410-912e-c29ae57300e0 --- polymer/eduke32/build/include/editor.h | 9 ++++++++- polymer/eduke32/build/src/build.c | 5 +++++ polymer/eduke32/source/astub.c | 2 +- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/polymer/eduke32/build/include/editor.h b/polymer/eduke32/build/include/editor.h index 27a58f191..dd4098010 100644 --- a/polymer/eduke32/build/include/editor.h +++ b/polymer/eduke32/build/include/editor.h @@ -370,9 +370,16 @@ extern vec2_t m32_2d3d; #define XSIZE_2D3D (xdim2d / m32_2d3dsize) #define YSIZE_2D3D (ydim2d / m32_2d3dsize) +static inline int32_t m32_2d3d_resolutions_match() +{ + return (xdimgame == xdim2d && ydimgame == ydim2d); +} + static inline int32_t m32_is2d3dmode(void) { - return !in3dmode() && m32_2d3dmode && searchx > m32_2d3d.x && searchx < (m32_2d3d.x + XSIZE_2D3D) && + return !in3dmode() && m32_2d3dmode && + m32_2d3d_resolutions_match() && + searchx > m32_2d3d.x && searchx < (m32_2d3d.x + XSIZE_2D3D) && searchy > m32_2d3d.y && searchy < (m32_2d3d.y + YSIZE_2D3D); } diff --git a/polymer/eduke32/build/src/build.c b/polymer/eduke32/build/src/build.c index 39d9eb5c8..a53a642f7 100644 --- a/polymer/eduke32/build/src/build.c +++ b/polymer/eduke32/build/src/build.c @@ -3252,6 +3252,11 @@ static void isc_transform(int32_t *x, int32_t *y) static void drawspritelabel(int i) { + // XXX: oob 'i' may happen, such as passing pointhighlight-16384 when + // pointhighlight == -1. + if ((unsigned)i >= MAXSPRITES) + return; + const char *dabuffer = CallExtGetSpriteCaption(i); if (!dabuffer[0]) diff --git a/polymer/eduke32/source/astub.c b/polymer/eduke32/source/astub.c index 19f549bdf..3eb492cb1 100644 --- a/polymer/eduke32/source/astub.c +++ b/polymer/eduke32/source/astub.c @@ -10482,7 +10482,7 @@ static void Keys2d3d(void) { keystatus[KEYSC_F10]=0; - if (xdimgame != xdim2d || ydimgame != ydim2d) + if (!m32_2d3d_resolutions_match()) message("2d and 3d mode resolutions don't match!"); else if (!in3dmode())