From ff9417f4a6cb61129adc95fa59784d6065557674 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Janiszewski?= Date: Wed, 7 Jun 2017 22:56:29 +0200 Subject: [PATCH] Validate access to peep_loading_positions (#4475) --- src/openrct2/object/RideObject.cpp | 4 ++++ src/openrct2/object/RideObject.h | 1 + src/openrct2/peep/peep.c | 3 +++ src/openrct2/ride/ride.h | 2 +- src/openrct2/ride/vehicle.h | 5 ++++- 5 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/openrct2/object/RideObject.cpp b/src/openrct2/object/RideObject.cpp index 4895930e7f..355de4e802 100644 --- a/src/openrct2/object/RideObject.cpp +++ b/src/openrct2/object/RideObject.cpp @@ -126,6 +126,7 @@ void RideObject::ReadLegacy(IReadObjectContext * context, IStream * stream) numPeepLoadingPositions = stream->ReadValue(); } _peepLoadingPositions[i] = stream->ReadArray(numPeepLoadingPositions); + _peepLoadingPositionsCount[i] = numPeepLoadingPositions; } GetImageTable()->Read(context, stream); @@ -354,6 +355,9 @@ void RideObject::Load() set_vehicle_type_image_max_sizes(vehicleEntry, num_images); } vehicleEntry->peep_loading_positions = _peepLoadingPositions[i]; +#ifdef NO_RCT2 + vehicleEntry->peep_loading_positions_count = _peepLoadingPositionsCount[i]; +#endif } } } diff --git a/src/openrct2/object/RideObject.h b/src/openrct2/object/RideObject.h index 70809b41b5..46062c64b9 100644 --- a/src/openrct2/object/RideObject.h +++ b/src/openrct2/object/RideObject.h @@ -29,6 +29,7 @@ private: rct_ride_entry _legacyType = { 0 }; vehicle_colour_preset_list _presetColours = { 0 }; sint8 * _peepLoadingPositions[4] = { nullptr }; + uint16 _peepLoadingPositionsCount[4] = { 0 }; public: explicit RideObject(const rct_object_entry &entry) : Object(entry) { } diff --git a/src/openrct2/peep/peep.c b/src/openrct2/peep/peep.c index e152b0dc8b..1aff6fdfd6 100644 --- a/src/openrct2/peep/peep.c +++ b/src/openrct2/peep/peep.c @@ -2778,6 +2778,9 @@ static void peep_update_ride_sub_state_1(rct_peep* peep){ return; } +#ifdef NO_RCT2 + assert(peep->current_seat < vehicle_type->peep_loading_positions_count); +#endif sint8 load_position = vehicle_type->peep_loading_positions[peep->current_seat]; switch (vehicle->sprite_direction / 8){ diff --git a/src/openrct2/ride/ride.h b/src/openrct2/ride/ride.h index d25d312139..308cd8b95c 100644 --- a/src/openrct2/ride/ride.h +++ b/src/openrct2/ride/ride.h @@ -123,7 +123,7 @@ typedef struct rct_ride_entry { uint8 shop_item; // 0x1C0 uint8 shop_item_secondary; // 0x1C1 } rct_ride_entry; -#ifdef PLATFORM_32BIT +#if defined(PLATFORM_32BIT) && !defined(NO_RCT2) assert_struct_size(rct_ride_entry, 0x1c2); #endif diff --git a/src/openrct2/ride/vehicle.h b/src/openrct2/ride/vehicle.h index 88eca50e34..1e19def884 100644 --- a/src/openrct2/ride/vehicle.h +++ b/src/openrct2/ride/vehicle.h @@ -77,8 +77,11 @@ typedef struct rct_ride_entry_vehicle { uint8 draw_order; uint8 special_frames; // 0x60 , 0x7A sint8* peep_loading_positions; // 0x61 , 0x7B +#ifdef NO_RCT2 + uint16 peep_loading_positions_count; +#endif } rct_ride_entry_vehicle; -#ifdef PLATFORM_32BIT +#if defined(PLATFORM_32BIT) && !defined(NO_RCT2) assert_struct_size(rct_ride_entry_vehicle, 0x65); #endif