Bullet, Caret, NpcAct1{2,4,8}0, TextScr: Add a note about some overflow bugs

2020-03-17 15:31:02 +01:00 · 2020-03-17 15:31:02 +01:00 · 6f114d0da5
commit 6f114d0da5
parent 7fe29e6ac5
6 changed files with 22 additions and 3 deletions
--- a/src/Bullet.cpp
+++ b/src/Bullet.cpp
@ -1642,6 +1642,8 @@ void ActBullet_Edge(BULLET *bul)
 		{96, 88, 120, 112},
 	};

+	// Note that 'bul->ani_no' can exceed the size of 'rcLeft' and 'rcRight'
+
 	if (bul->direct == 0)
 		bul->rect = rcLeft[bul->ani_no];
 	else
--- a/src/Caret.cpp
+++ b/src/Caret.cpp
@ -76,6 +76,8 @@ void ActCaret01(CARET *crt)
 			crt->cond = 0;
 	}

+	// Note that 'crt->ani_no' can exceed the size of 'rcLeft' and 'rcRight'
+
 	if (crt->direct == 0)
 		crt->rect = rcLeft[crt->ani_no];
 	else
@ -244,6 +246,8 @@ void ActCaret07(CARET *crt)
 			crt->cond = 0;
 	}

+	// Note that 'crt->ani_no' can exceed the size of rcLeft
+
 	crt->rect = rcLeft[crt->ani_no];

 	switch (crt->direct)
@ -446,6 +450,8 @@ void ActCaret14(CARET *crt)
 			crt->cond = 0;
 	}

+	// Note that 'crt->ani_no' can exceed the size of 'rect'
+
 	crt->rect = rect[crt->ani_no];
 }

@ -466,6 +472,8 @@ void ActCaret15(CARET *crt)
 			crt->cond = 0;
 	}

+	// Note that 'crt->ani_no' can exceed the size of 'rcLeft'
+
 	crt->rect = rcLeft[crt->ani_no];
 }

--- a/src/NpcAct120.cpp
+++ b/src/NpcAct120.cpp
@ -588,6 +588,8 @@ void ActNpc127(NPCHAR *npc)
 			npc->cond = 0;
 	}

+	// Note that 'npc->ani_no' can exceed the size of 'rcH' and 'rcV'
+
 	if (npc->direct == 0)
 		npc->rect = rcH[npc->ani_no];
 	else
@ -648,6 +650,8 @@ void ActNpc128(NPCHAR *npc)
 	if (++npc->ani_no > 4)
 		npc->cond = 0;

+	// Note that 'npc->ani_no' can exceed the bounds of 'rcLeft', 'rcUp', 'rcRight' and 'rcDown'
+
 	switch (npc->direct)
 	{
 		case 0:
@ -702,6 +706,8 @@ void ActNpc129(NPCHAR *npc)

 	npc->y += npc->ym;

+	// Note that '(npc->direct * 3) + npc->ani_no' can exceed the size of 'rect'
+
 	npc->rect = rect[(npc->direct * 3) + npc->ani_no];
 }

--- a/src/NpcAct140.cpp
+++ b/src/NpcAct140.cpp
@ -758,6 +758,7 @@ void ActNpc146(NPCHAR *npc)
 			break;
 	}

+	// Note that 'npc->ani_no' can exceed the size of 'rect'
 	npc->rect = rect[npc->ani_no];
 }

--- a/src/NpcAct180.cpp
+++ b/src/NpcAct180.cpp
@ -1431,5 +1431,6 @@ void ActNpc199(NPCHAR *npc)
 	npc->x += npc->xm;
 	npc->y += npc->ym;

+	// Note that 'npc->ani_no' can exceed the size of 'rect'
 	npc->rect = rect[npc->ani_no];
 }
--- a/src/TextScr.cpp
+++ b/src/TextScr.cpp
@ -33,6 +33,7 @@
 #include "Sound.h"
 #include "Stage.h"

+// This limits the size of a .tsc script to 0x5000 bytes (the game will crash above this)
 #define TSC_BUFFER_SIZE 0x5000

 #define TEXT_LEFT (WINDOW_WIDTH / 2 - 108)
@ -136,7 +137,7 @@ BOOL LoadTextScript2(const char *name)
 	if (fp == NULL)
 		return FALSE;

-	// Read data
+	// Read data. Note that gTS.size may exceed the size of 'gTS.data' (TSC_BUFFER_SIZE)
 	fread(gTS.data, 1, gTS.size, fp);
 	gTS.data[gTS.size] = 0;
 	fclose(fp);
@ -169,7 +170,7 @@ BOOL LoadTextScript_Stage(const char *name)
 	if (fp == NULL)
 		return FALSE;

-	// Read Head.tsc
+	// Read Head.tsc. Note that head_size may exceed the size of 'gTS.data' (TSC_BUFFER_SIZE)
 	fread(gTS.data, 1, head_size, fp);
 	EncryptionBinaryData2((unsigned char*)gTS.data, head_size);
 	gTS.data[head_size] = 0;
@ -186,7 +187,7 @@ BOOL LoadTextScript_Stage(const char *name)
 	if (fp == NULL)
 		return FALSE;

-	// Read stage's tsc
+	// Read stage's tsc. Note that head_size + body_size may exceed the size of 'gTS.data' (TSC_BUFFER_SIZE)
 	fread(&gTS.data[head_size], 1, body_size, fp);
 	EncryptionBinaryData2((unsigned char*)&gTS.data[head_size], body_size);
 	gTS.data[head_size + body_size] = 0;