From 63a0c7065202bed553a886e3706dfd531c51d129 Mon Sep 17 00:00:00 2001 From: Gleb Mazovetskiy Date: Tue, 29 Oct 2019 19:47:38 +0000 Subject: [PATCH 1/4] DRLG_L5TransFix: Add BUGFIX comments --- Source/drlg_l1.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Source/drlg_l1.cpp b/Source/drlg_l1.cpp index d8150f5d6..155118dcc 100644 --- a/Source/drlg_l1.cpp +++ b/Source/drlg_l1.cpp @@ -1540,10 +1540,12 @@ static void DRLG_L5TransFix() xx = 16; for (i = 0; i < DMAXX; i++) { + // BUGFIX: Should check for `j > 0` first. if (dungeon[i][j] == 23 && dungeon[i][j - 1] == 18) { dTransVal[xx + 1][yy] = dTransVal[xx][yy]; dTransVal[xx + 1][yy + 1] = dTransVal[xx][yy]; } + // BUGFIX: Should check for `i + 1 < DMAXY` first. if (dungeon[i][j] == 24 && dungeon[i + 1][j] == 19) { dTransVal[xx][yy + 1] = dTransVal[xx][yy]; dTransVal[xx + 1][yy + 1] = dTransVal[xx][yy]; From 08fd0dce60d7f4186afabefdf9977268291ec537 Mon Sep 17 00:00:00 2001 From: Gleb Mazovetskiy Date: Tue, 29 Oct 2019 20:51:35 +0000 Subject: [PATCH 2/4] Fix multiple OOB in L5tileFix Refs https://github.com/diasurgical/devilutionX/pull/401 --- Source/drlg_l1.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Source/drlg_l1.cpp b/Source/drlg_l1.cpp index 155118dcc..4b287d792 100644 --- a/Source/drlg_l1.cpp +++ b/Source/drlg_l1.cpp @@ -1186,6 +1186,9 @@ static void L5tileFix() { int i, j; + // BUGFIX: Bounds checks are required in all loop bodies. + // See https://github.com/diasurgical/devilutionX/pull/401 + for (j = 0; j < DMAXY; j++) { for (i = 0; i < DMAXX; i++) { if (dungeon[i][j] == 2 && dungeon[i + 1][j] == 22) From 48c399c4535eda5d99b3c15f760c6a1c4008cc98 Mon Sep 17 00:00:00 2001 From: Gleb Mazovetskiy Date: Tue, 29 Oct 2019 20:58:15 +0000 Subject: [PATCH 3/4] Fix OOBs in DRLG_L5Subs --- Source/drlg_l1.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Source/drlg_l1.cpp b/Source/drlg_l1.cpp index 4b287d792..f440a8ac8 100644 --- a/Source/drlg_l1.cpp +++ b/Source/drlg_l1.cpp @@ -1313,12 +1313,14 @@ static void DRLG_L5Subs() rv--; } + // BUGFIX: Add `&& y > 0` to the if statement. if (i == 89) { if (L5BTYPES[dungeon[x][y - 1]] != 79 || L5dflags[x][y - 1]) i = 79; else dungeon[x][y - 1] = 90; } + // BUGFIX: Add `&& x + 1 < DMAXX` to the if statement. if (i == 91) { if (L5BTYPES[dungeon[x + 1][y]] != 80 || L5dflags[x + 1][y]) i = 80; From 25011ef55bdab4f9fc3fc0d0a8a903f4914824fb Mon Sep 17 00:00:00 2001 From: Gleb Mazovetskiy Date: Tue, 29 Oct 2019 20:40:20 +0000 Subject: [PATCH 4/4] Fix OOB in dungeon lvl2 Dark Passage generation Dark Passage entrance index is 206 but the BSTYPES and L5BTYPES array only contain 206 elements. --- Source/drlg_l1.cpp | 4 ++++ Source/drlg_l1.h | 3 +++ 2 files changed, 7 insertions(+) diff --git a/Source/drlg_l1.cpp b/Source/drlg_l1.cpp index f440a8ac8..583f1a0a8 100644 --- a/Source/drlg_l1.cpp +++ b/Source/drlg_l1.cpp @@ -53,6 +53,8 @@ const ShadowStruct SPATS[37] = { { 3, 13, 11, 12, 150, 0, 0 } // clang-format on }; + +// BUGFIX: This array should contain an additional 0 (207 elements). const BYTE BSTYPES[206] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 0, 0, @@ -76,6 +78,8 @@ const BYTE BSTYPES[206] = { 28, 1, 2, 25, 26, 22, 22, 25, 26, 0, 0, 0, 0, 0, 0, 0 }; + +// BUGFIX: This array should contain an additional 0 (207 elements). const BYTE L5BTYPES[206] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 0, 0, diff --git a/Source/drlg_l1.h b/Source/drlg_l1.h index 728439e7b..91a616d5f 100644 --- a/Source/drlg_l1.h +++ b/Source/drlg_l1.h @@ -20,8 +20,11 @@ void CreateL5Dungeon(DWORD rseed, int entry); /* rdata */ extern const ShadowStruct SPATS[37]; + +// BUGFIX: These arrays should contain an additional 0 (207 elements). extern const BYTE BSTYPES[206]; extern const BYTE L5BTYPES[206]; + extern const BYTE STAIRSUP[]; extern const BYTE L5STAIRSUP[]; extern const BYTE STAIRSDOWN[];