From bb2ae29699806e055cf38197d0ba52cd095914b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Janiszewski?= Date: Mon, 18 Jul 2016 19:11:52 +0200 Subject: [PATCH 1/4] Limit valid sprite indices when renaming peeps --- src/peep/peep.c | 4 ++++ src/peep/staff.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/src/peep/peep.c b/src/peep/peep.c index 04668288a0..b2611441d9 100644 --- a/src/peep/peep.c +++ b/src/peep/peep.c @@ -10893,6 +10893,10 @@ money32 set_peep_name(int flags, int state, uint16 sprite_index, uint8* text_1, void game_command_set_guest_name(int *eax, int *ebx, int *ecx, int *edx, int *esi, int *edi, int *ebp) { uint16 sprite_index = *ecx & 0xFFFF; + if (sprite_index >= MAX_SPRITES) { + *ebx = MONEY32_UNDEFINED; + return; + } rct_peep *peep = GET_PEEP(sprite_index); if (peep->type != PEEP_TYPE_GUEST) { *ebx = MONEY32_UNDEFINED; diff --git a/src/peep/staff.c b/src/peep/staff.c index 4030f1ef90..64dc1ebb27 100644 --- a/src/peep/staff.c +++ b/src/peep/staff.c @@ -1236,6 +1236,10 @@ int staff_path_finding(rct_peep* peep) { void game_command_set_staff_name(int *eax, int *ebx, int *ecx, int *edx, int *esi, int *edi, int *ebp) { uint16 sprite_index = *ecx & 0xFFFF; + if (sprite_index >= MAX_SPRITES) { + *ebx = MONEY32_UNDEFINED; + return; + } rct_peep *peep = GET_PEEP(sprite_index); if (peep->type != PEEP_TYPE_STAFF) { *ebx = MONEY32_UNDEFINED; From c2929181c27beb2b62461abcb03098ef74a2c9c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Janiszewski?= Date: Mon, 18 Jul 2016 19:17:55 +0200 Subject: [PATCH 2/4] Ensure validity of gActiveTrackDesign --- src/ride/track_design.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/ride/track_design.c b/src/ride/track_design.c index 30434ecd79..2c134ceb14 100644 --- a/src/ride/track_design.c +++ b/src/ride/track_design.c @@ -1393,6 +1393,9 @@ static money32 place_track_design(sint16 x, sint16 y, sint16 z, uint8 flags, uin } rct_track_td6 *td6 = gActiveTrackDesign; + if (td6 == NULL) { + return MONEY32_UNDEFINED; + } rct_object_entry *rideEntryObject = &td6->vehicle_object; uint8 entryType, entryIndex; From 2900999944e4be210ba6f00c7ed7bf3d32baabf1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Janiszewski?= Date: Mon, 18 Jul 2016 19:35:26 +0200 Subject: [PATCH 3/4] Validate gSavePromptMode --- src/windows/save_prompt.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/windows/save_prompt.c b/src/windows/save_prompt.c index ef88877004..60d0de0191 100644 --- a/src/windows/save_prompt.c +++ b/src/windows/save_prompt.c @@ -120,6 +120,10 @@ void window_save_prompt_open() rct_widget *widgets; uint64 enabled_widgets; + if (gSavePromptMode >= countof(window_save_prompt_labels)) { + log_warning("Invalid save prompt mode %u", gSavePromptMode); + return; + } prompt_mode = gSavePromptMode; if (prompt_mode == PM_QUIT) prompt_mode = PM_SAVE_BEFORE_QUIT; From 8446ae902623aed98755e8b7ce54cc9beed7bbce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Janiszewski?= Date: Mon, 18 Jul 2016 23:46:08 +0200 Subject: [PATCH 4/4] Check for NULL scenery --- src/peep/peep.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/peep/peep.c b/src/peep/peep.c index b2611441d9..51bfe6b04d 100644 --- a/src/peep/peep.c +++ b/src/peep/peep.c @@ -426,6 +426,9 @@ static uint8 peep_assess_surroundings(sint16 center_x, sint16 center_y, sint16 c break; scenery = get_footpath_item_entry(footpath_element_get_path_scenery_index(mapElement)); + if (scenery == NULL) { + return PEEP_THOUGHT_TYPE_NONE; + } if (footpath_element_path_scenery_is_ghost(mapElement)) break;