From 9eb6ee2417a830c52a91aa79011c6047004b3356 Mon Sep 17 00:00:00 2001
From: mrmbernardi <mrmbernardi@gmail.com>
Date: Wed, 16 Oct 2024 07:03:38 +1100
Subject: [PATCH] Fix UB from unaligned load of RLE line offsets

---
 src/openrct2/drawing/Drawing.Sprite.RLE.cpp | 7 ++++---
 src/openrct2/interface/Viewport.cpp         | 8 ++++----
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/openrct2/drawing/Drawing.Sprite.RLE.cpp b/src/openrct2/drawing/Drawing.Sprite.RLE.cpp
index 1e4d675535..defed692ee 100644
--- a/src/openrct2/drawing/Drawing.Sprite.RLE.cpp
+++ b/src/openrct2/drawing/Drawing.Sprite.RLE.cpp
@@ -15,8 +15,7 @@
 template<DrawBlendOp TBlendOp> static void FASTCALL DrawRLESpriteMagnify(DrawPixelInfo& dpi, const DrawSpriteArgs& args)
 {
     auto& paletteMap = args.PalMap;
-    auto lineOffsets = reinterpret_cast<const uint16_t*>(args.SourceImage.offset);
-    auto src0 = args.SourceImage.offset;
+    auto imgData = args.SourceImage.offset;
     auto dst = args.DestinationBits;
     auto srcX = args.SrcX;
     auto srcY = args.SrcY;
@@ -29,7 +28,9 @@ template<DrawBlendOp TBlendOp> static void FASTCALL DrawRLESpriteMagnify(DrawPix
     {
         uint8_t* nextDst = dst + dstLineWidth;
         const int32_t rowNum = zoom.ApplyTo(srcY + y);
-        const uint8_t* data8 = src0 + lineOffsets[rowNum];
+        uint16_t lineOffset;
+        std::memcpy(&lineOffset, &imgData[rowNum * sizeof(uint16_t)], sizeof(uint16_t));
+        const uint8_t* data8 = imgData + lineOffset;
 
         bool lastDataForLine = false;
         int32_t numPixels = 0;
diff --git a/src/openrct2/interface/Viewport.cpp b/src/openrct2/interface/Viewport.cpp
index 64c5b6b4d0..ef05f4f5a6 100644
--- a/src/openrct2/interface/Viewport.cpp
+++ b/src/openrct2/interface/Viewport.cpp
@@ -1552,11 +1552,11 @@ static bool IsPixelPresentBMP(
 /**
  * rct2: 0x0067933B, 0x00679788, 0x00679C4A, 0x0067A117
  */
-static bool IsPixelPresentRLE(const void* data, const int32_t x, const int32_t y)
+static bool IsPixelPresentRLE(const uint8_t* imgData, const int32_t x, const int32_t y)
 {
-    const uint16_t* data16 = static_cast<const uint16_t*>(data);
-    uint16_t startOffset = data16[y];
-    const uint8_t* data8 = static_cast<const uint8_t*>(data) + startOffset;
+    uint16_t lineOffset;
+    std::memcpy(&lineOffset, &imgData[y * sizeof(uint16_t)], sizeof(uint16_t));
+    const uint8_t* data8 = imgData + lineOffset;
 
     bool lastDataLine = false;
     while (!lastDataLine)