From 08e47e839fc681097093d4e9a832ee6914773237 Mon Sep 17 00:00:00 2001 From: Misa Date: Fri, 12 Jun 2020 19:31:08 -0700 Subject: [PATCH] Guard all cases obj.getteleporter() is used unchecked obj.getteleporter() is able to return -1. If there's no check on it, it will end up indexing out-of-bounds, which is Undefined Behavior. --- desktop_version/src/Game.cpp | 31 +++++++++++++++++++++++-------- desktop_version/src/Input.cpp | 21 +++++++++++++++------ desktop_version/src/Script.cpp | 26 +++++++++++++++++++------- 3 files changed, 57 insertions(+), 21 deletions(-) diff --git a/desktop_version/src/Game.cpp b/desktop_version/src/Game.cpp index cf5cab5f..fffc4d1a 100644 --- a/desktop_version/src/Game.cpp +++ b/desktop_version/src/Game.cpp @@ -2157,6 +2157,7 @@ void Game::updatestate() music.playef(10); break; case 2502: + { //Activating a teleporter 2 state++; statedelay = 5; @@ -2165,17 +2166,25 @@ void Game::updatestate() obj.entities[i].colour = 0; obj.entities[i].invis = false; - obj.entities[i].xp = obj.entities[obj.getteleporter()].xp+44; - obj.entities[i].yp = obj.entities[obj.getteleporter()].yp+44; + int j = obj.getteleporter(); + if (j > -1) + { + obj.entities[i].xp = obj.entities[j].xp+44; + obj.entities[i].yp = obj.entities[j].yp+44; + } obj.entities[i].ay = -6; obj.entities[i].ax = 6; obj.entities[i].vy = -6; obj.entities[i].vx = 6; i = obj.getteleporter(); - obj.entities[i].tile = 1; - obj.entities[i].colour = 101; + if (i > -1) + { + obj.entities[i].tile = 1; + obj.entities[i].colour = 101; + } break; + } case 2503: state++; i = obj.getplayer(); @@ -2316,8 +2325,11 @@ void Game::updatestate() } i = obj.getteleporter(); - obj.entities[i].tile = 1; - obj.entities[i].colour = 100; + if (i > -1) + { + obj.entities[i].tile = 1; + obj.entities[i].colour = 100; + } break; case 3006: @@ -3517,8 +3529,11 @@ void Game::updatestate() } i = obj.getteleporter(); activetele = true; - teleblock.x = obj.entities[i].xp - 32; - teleblock.y = obj.entities[i].yp - 32; + if (i > -1) + { + teleblock.x = obj.entities[i].xp - 32; + teleblock.y = obj.entities[i].yp - 32; + } teleblock.w = 160; teleblock.h = 160; hascontrol = true; diff --git a/desktop_version/src/Input.cpp b/desktop_version/src/Input.cpp index c1cb96aa..0eb0866f 100644 --- a/desktop_version/src/Input.cpp +++ b/desktop_version/src/Input.cpp @@ -1608,8 +1608,11 @@ void gameinput() obj.entities[player].colour = 102; int teleporter = obj.getteleporter(); - obj.entities[teleporter].tile = 6; - obj.entities[teleporter].colour = 102; + if (teleporter > -1) + { + obj.entities[teleporter].tile = 6; + obj.entities[teleporter].colour = 102; + } //which teleporter script do we use? it depends on the companion! game.state = 4000; game.statedelay = 0; @@ -1641,8 +1644,11 @@ void gameinput() if(companion>-1) obj.entities[companion].colour = 102; int teleporter = obj.getteleporter(); - obj.entities[teleporter].tile = 6; - obj.entities[teleporter].colour = 102; + if (teleporter > -1) + { + obj.entities[teleporter].tile = 6; + obj.entities[teleporter].colour = 102; + } //which teleporter script do we use? it depends on the companion! game.state = 3000; game.statedelay = 0; @@ -2113,8 +2119,11 @@ void teleporterinput() obj.entities[i].colour = 102; i = obj.getteleporter(); - obj.entities[i].tile = 6; - obj.entities[i].colour = 102; + if (i > -1) + { + obj.entities[i].tile = 6; + obj.entities[i].colour = 102; + } //which teleporter script do we use? it depends on the companion! game.state = 4000; game.statedelay = 0; diff --git a/desktop_version/src/Script.cpp b/desktop_version/src/Script.cpp index 4058794a..6b6bee90 100644 --- a/desktop_version/src/Script.cpp +++ b/desktop_version/src/Script.cpp @@ -1097,8 +1097,11 @@ void scriptclass::run() else if (words[0] == "activateteleporter") { i = obj.getteleporter(); - obj.entities[i].tile = 6; - obj.entities[i].colour = 102; + if (i > -1) + { + obj.entities[i].tile = 6; + obj.entities[i].colour = 102; + } } else if (words[0] == "changecolour") { @@ -1835,7 +1838,10 @@ void scriptclass::run() else if (words[0] == "activeteleporter") { i = obj.getteleporter(); - obj.entities[i].colour = 101; + if (i > -1) + { + obj.entities[i].colour = 101; + } } else if (words[0] == "foundtrinket") { @@ -3290,12 +3296,18 @@ void scriptclass::teleport() game.gravitycontrol = 0; map.gotoroom(100+game.teleport_to_x, 100+game.teleport_to_y); j = obj.getteleporter(); - obj.entities[j].state = 2; + if (j > -1) + { + obj.entities[j].state = 2; + } game.teleport_to_new_area = false; - game.savepoint = obj.entities[j].para; - game.savex = obj.entities[j].xp + 44; - game.savey = obj.entities[j].yp + 44; + if (j > -1) + { + game.savepoint = obj.entities[j].para; + game.savex = obj.entities[j].xp + 44; + game.savey = obj.entities[j].yp + 44; + } game.savegc = 0; game.saverx = game.roomx;