Bound-check the 'picnum' argument to rotatesprite; tweak CON digitalnumber check.

There are instances where oob picnums may propagate to that function, so protect it. The digitanumber[z] bound check is actually made more permissive, but could also just as well be removed now. git-svn-id: https://svn.eduke32.com/eduke32@2533 1a8010ca-5511-0410-912e-c29ae57300e0
2025-01-18 06:32:37 +00:00 · 2012-03-25 22:01:21 +00:00 · 2012-03-25 22:01:21 +00:00 · b897a59d82
commit b897a59d82
parent 6cd11d0468
2 changed files with 5 additions and 1 deletions
--- a/polymer/eduke32/build/src/engine.c
+++ b/polymer/eduke32/build/src/engine.c
@ -13333,6 +13333,9 @@ void rotatesprite(int32_t sx, int32_t sy, int32_t z, int16_t a, int16_t picnum,
    int32_t i;
    permfifotype *per, *per2;

+    if ((unsigned)picnum >= MAXTILES)
+        return;
+
    if ((cx1 > cx2) || (cy1 > cy2)) return;
    if (z <= 16) return;
    if (picanm[picnum]&192) picnum += animateoffs(picnum,(int16_t)0xc000);
--- a/polymer/eduke32/source/gameexec.c
+++ b/polymer/eduke32/source/gameexec.c
@ -2454,7 +2454,8 @@ nullquote:
                int32_t x2=Gv_GetVarX(*insptr++), y2=Gv_GetVarX(*insptr++);
                int32_t z = (tw == CON_DIGITALNUMBERZ) ? Gv_GetVarX(*insptr++) : 65536;

-                if (tilenum < 0 || tilenum+'9' >= MAXTILES)
+                // NOTE: '-' not taken into account, but we have rotatesprite() bound check now anyway
+                if (tilenum < 0 || tilenum+9 >= MAXTILES)
                {
                    OSD_Printf(CON_ERROR "invalid base tilenum %d\n", g_errorLineNum, keyw[g_tw], tilenum);
                    continue;