From 6c54bacd41c548b3ef0f1a5c86e4096dfe4d5df6 Mon Sep 17 00:00:00 2001
From: Michael Steenbeek <m.o.steenbeek@gmail.com>
Date: Sun, 28 Aug 2022 23:46:50 +0200
Subject: [PATCH] Fix #17921: NPE in track_block_get_next() (#17922)

---
 src/openrct2/ride/Ride.cpp | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/openrct2/ride/Ride.cpp b/src/openrct2/ride/Ride.cpp
index 08119d3134..1977fde4d5 100644
--- a/src/openrct2/ride/Ride.cpp
+++ b/src/openrct2/ride/Ride.cpp
@@ -557,7 +557,16 @@ bool track_block_get_next(CoordsXYE* input, CoordsXYE* output, int32_t* z, int32
     if (trackBlock == nullptr)
         return false;
 
-    trackBlock += inputElement->GetSequenceIndex();
+    // The sequence index may be higher than the amount of sequences actually present.
+    // We don’t know the amount of sequences present in the block upfront, but there is an end marker consisting of all 255s.
+    const auto sequenceIndex = inputElement->GetSequenceIndex();
+    for (auto i = 0; i < sequenceIndex; i++)
+    {
+        trackBlock++;
+
+        if (trackBlock == nullptr || trackBlock->index == 255)
+            return false;
+    }
 
     const auto& trackCoordinate = ted.Coordinates;