From b18fe49d0a7d267e551fd94266b67da1bbfdd0f9 Mon Sep 17 00:00:00 2001 From: Gleb Mazovetskiy Date: Wed, 30 Oct 2019 01:02:35 +0000 Subject: [PATCH] Fix OOB in DrawSpell (#405) The OOB here was in `_pSplLvl[spl]`. The value of SPL_INVALID is is `-1`. The fix is to not access the array when `spl == SPL_INVALID`. --- Source/control.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Source/control.cpp b/Source/control.cpp index a3192021b..918a915d7 100644 --- a/Source/control.cpp +++ b/Source/control.cpp @@ -226,15 +226,15 @@ void SetSpellTrans(char t) */ void DrawSpell() { - char spl, st; - int tlvl; + char st; + int spl, tlvl; spl = plr[myplr]._pRSpell; st = plr[myplr]._pRSplType; - // BUGFIX: Move the next line into the if statement to avoid OOB (SPL_INVALID is -1) - tlvl = plr[myplr]._pISplLvlAdd + plr[myplr]._pSplLvl[spl]; + // BUGFIX: Move the next line into the if statement to avoid OOB (SPL_INVALID is -1) (fixed) if (st == RSPLTYPE_SPELL && spl != SPL_INVALID) { + tlvl = plr[myplr]._pISplLvlAdd + plr[myplr]._pSplLvl[spl]; if (!CheckSpell(myplr, spl, RSPLTYPE_SPELL, TRUE)) st = RSPLTYPE_INVALID; if (tlvl <= 0)