From 14d14de9115f42465bb673e107b672900294bfb4 Mon Sep 17 00:00:00 2001 From: Tomas Dittmann Date: Wed, 5 Jul 2017 19:00:30 +0200 Subject: [PATCH] Fix #5205: Prevent the paint loop becoming an infinite loop (#5771) --- src/openrct2/interface/viewport.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/openrct2/interface/viewport.c b/src/openrct2/interface/viewport.c index 0c026f4ce7..629a0c576e 100644 --- a/src/openrct2/interface/viewport.c +++ b/src/openrct2/interface/viewport.c @@ -707,8 +707,12 @@ void viewport_paint(rct_viewport* viewport, rct_drawpixelinfo* dpi, sint16 left, dpi1.pitch = (dpi->width + dpi->pitch) - (width >> viewport->zoom); dpi1.zoom_level = viewport->zoom; + // make sure, the compare operation is done in sint16 to avoid the loop becoming an infiniteloop. + // this as well as the [x += 32] in the loop causes signed integer overflow -> undefined behaviour. + sint16 rightBorder = dpi1.x + dpi1.width; + // Splits the area into 32 pixel columns and renders them - for (x = floor2(dpi1.x, 32); x < dpi1.x + dpi1.width; x += 32) { + for (x = floor2(dpi1.x, 32); x < rightBorder; x += 32) { rct_drawpixelinfo dpi2 = dpi1; if (x >= dpi2.x) { sint16 leftPitch = x - dpi2.x;