Skip to content

Fix buffer overflow when tag bits are set

Hanicef requested to merge Hanicef/SRB2:fix-mtag-buffer-overflow into next

did another run with ASan and found an issue with mtags causing buffer overflows. turns out the cause was due to a promotion from a INT16 to signed int on a value with it's most significant bit set. since that value is negative, when it got promoted to a signed int, the most significant bit would move to retain the integer value. this posed a problem later as we're working with bit operations here, so it would end up shifting a negative value instead, thus causing an arithmetical shift which triggered a buffer overflow when the bit tried to be accessed here: https://git.do.srb2.org/STJr/SRB2/-/blob/next/src/doomtype.h?ref_type=heads#L378-L382

simply converting the type to UINT32 fixes the problem, which i guess is what we'd want here since MAXTAGS is actually set to UINT16_MAX and not INT16_MAX. turns out that caused issues, so instead, we'll just cast it to UINT16 where we need to (which what we already seem to do in Tag_NextUnused).

Edited by Hanicef

Merge request reports

Loading