If `dObject[dx][dy]` is zero, then `pn = -1`, which causes an
out-of-bounds access to object. If the memory `object[-1]._otype`
is either 84 or 85, then the player is randomly teleported to the
location of the Vile Betrayer quest. This can be triggered either
by interacting with a holy shrine or by casting phasing.
"Wherever you go, there you are"
The current definition of MFILE_NONE is set to 255 (or -1 when
interpreted as a signed 8-bit integer). The definitions of missiles
without graphic animations use MFILE_NONE for the mFileNum field in
missiledata. This is problematic as it results in an out-of-bounds
access in SetMissAnim when accessing misfiledata for such a missile.
One such example is the Recharge Staff skill which does not use a
missile graphic animation and thus has _miAnimType set to MFILE_NONE.
The code path leading to out-of-bounds access after casting Recharge
is as follows: AddMissile -> SetMissDir -> SetMissAnim, which in turn
accesses misfiledata[animtype], i.e. misfiledata[255].
The issue here is probably very unlikely to trigger anything in-game, as
the first 4 monster array elements are reserverd for golems. However,
after executing the body of the `if (mi != 0) { mi-- }` if-statement,
it is not possible to determine whether mi was 0 or 1 before executing
the body. This is relevant as the pack member check should only be
performed if mi was non-zero prior to executing the body of the
if-statement.
A fixed may look something as follows:
if (mi != 0) {
mi--;
// BUGFIX: should only run pack member check if mi was non-zero prior to executing the body of the above if-statemnet (fixed).
if (monster[mi].leaderflag == 1
&& monster[mi].leader == i
&& monster[mi]._mfutx == x
&& monster[mi]._mfuty == y) {
mcount++;
}
The dMonster array stores monster array index numbers + 1
(or the corresponding negative version -(index + 1)).
Prior to use, these must be decremented by 1.
qndel
Anders Jenbo
Colin Pitrat
Juliano Goncalves
pionere
Tyler
Robin Eklind
Robin Eklind