Originally Posted by
Gleeok
Well, maybe I am hallucinating or something, but what's to stop refInfo.d[] from being less than 1...?
m->initd[(ri->d[0]/10000) - 1][(ri->d[1]/10000)] = value;
Is this valid?
Oh dear, it looks like that one is indeed missing a sanity bound. It should have two, in fact.
Specifically, it needs this:
Code:
int ffid = (ri->d[0]/10000)-1;
int indx = ri->d[1]/10000;
if ( ffid < 0 || ffid > 31 )
{
Z_scripterrlog("Invalid FFC id passed to mapdata->FFCInitD[]: %d",ffid);
}
else if ( indx < 0 || indx > 7 )
{
Z_scripterrlog("Invalid InitD[] index passed to mapdata->FFCInitD[]: %d",indx);
}
else
{
m->initd[ffid][(ri->d[indx] = value;
}
One of these days I'll add some more boundscheck inline functions for this sort of thing.