From 67c1157b64fb14b28bffeb8ff76b849c8d7d467b Mon Sep 17 00:00:00 2001
From: helixhorned <helixhorned@1a8010ca-5511-0410-912e-c29ae57300e0>
Date: Sun, 1 Dec 2013 18:27:52 +0000
Subject: [PATCH] Guard a sprite/actor access with sector[].hitag as index from
 OOB.

Unlikely but possible for rogue CON code.

git-svn-id: https://svn.eduke32.com/eduke32@4185 1a8010ca-5511-0410-912e-c29ae57300e0
---
 polymer/eduke32/source/game.c   | 1 +
 polymer/eduke32/source/player.c | 8 +++++---
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/polymer/eduke32/source/game.c b/polymer/eduke32/source/game.c
index 5a0d9ba92..73cdadcc8 100644
--- a/polymer/eduke32/source/game.c
+++ b/polymer/eduke32/source/game.c
@@ -6737,6 +6737,7 @@ int32_t A_Spawn(int32_t j, int32_t pn)
                         sp->extra = 0;
                     else sp->extra = 1;
 
+                    // TRAIN_SECTOR_TO_SE_INDEX
                     sector[sect].hitag = i;
 
                     j = 0;
diff --git a/polymer/eduke32/source/player.c b/polymer/eduke32/source/player.c
index 78b3f823d..fff566b2b 100644
--- a/polymer/eduke32/source/player.c
+++ b/polymer/eduke32/source/player.c
@@ -5100,12 +5100,14 @@ HORIZONLY:
     // ST_2_UNDERWATER
     if (p->cursectnum >= 0 && psectlotag < 3)
     {
+        const sectortype *sec = &sector[p->cursectnum];
 //        p->cursectnum = s->sectnum;
 
-        if (!ud.noclip && sector[p->cursectnum].lotag == ST_31_TWO_WAY_TRAIN)
+        if (!ud.noclip && sec->lotag == ST_31_TWO_WAY_TRAIN)
         {
-            // XXX: POTENTIAL_OOB
-            if (sprite[sector[p->cursectnum].hitag].xvel && actor[sector[p->cursectnum].hitag].t_data[0] == 0)
+            // TRAIN_SECTOR_TO_SE_INDEX
+            if ((unsigned)sec->hitag < MAXSPRITES && sprite[sec->hitag].xvel
+                    && actor[sec->hitag].t_data[0] == 0)
             {
                 P_QuickKill(p);
                 return;