From b897a59d82b654c613a57aa60edfc4d36eafdaf6 Mon Sep 17 00:00:00 2001 From: helixhorned Date: Sun, 25 Mar 2012 22:01:21 +0000 Subject: [PATCH] Bound-check the 'picnum' argument to rotatesprite; tweak CON digitalnumber check. There are instances where oob picnums may propagate to that function, so protect it. The digitanumber[z] bound check is actually made more permissive, but could also just as well be removed now. git-svn-id: https://svn.eduke32.com/eduke32@2533 1a8010ca-5511-0410-912e-c29ae57300e0 --- polymer/eduke32/build/src/engine.c | 3 +++ polymer/eduke32/source/gameexec.c | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/polymer/eduke32/build/src/engine.c b/polymer/eduke32/build/src/engine.c index 2ddfc599b..9c78c2307 100644 --- a/polymer/eduke32/build/src/engine.c +++ b/polymer/eduke32/build/src/engine.c @@ -13333,6 +13333,9 @@ void rotatesprite(int32_t sx, int32_t sy, int32_t z, int16_t a, int16_t picnum, int32_t i; permfifotype *per, *per2; + if ((unsigned)picnum >= MAXTILES) + return; + if ((cx1 > cx2) || (cy1 > cy2)) return; if (z <= 16) return; if (picanm[picnum]&192) picnum += animateoffs(picnum,(int16_t)0xc000); diff --git a/polymer/eduke32/source/gameexec.c b/polymer/eduke32/source/gameexec.c index 3e1c5fc89..686a03b34 100644 --- a/polymer/eduke32/source/gameexec.c +++ b/polymer/eduke32/source/gameexec.c @@ -2454,7 +2454,8 @@ nullquote: int32_t x2=Gv_GetVarX(*insptr++), y2=Gv_GetVarX(*insptr++); int32_t z = (tw == CON_DIGITALNUMBERZ) ? Gv_GetVarX(*insptr++) : 65536; - if (tilenum < 0 || tilenum+'9' >= MAXTILES) + // NOTE: '-' not taken into account, but we have rotatesprite() bound check now anyway + if (tilenum < 0 || tilenum+9 >= MAXTILES) { OSD_Printf(CON_ERROR "invalid base tilenum %d\n", g_errorLineNum, keyw[g_tw], tilenum); continue;