Fix buffer overflow when tag bits are set (!2192) · Merge requests · STJr / SRB2

The source project of this merge request has been removed.

did another run with ASan and found an issue with mtags causing buffer overflows. turns out the cause was due to a promotion from a INT16 to signed int on a value with it's most significant bit set. since that value is negative, when it got promoted to a signed int, the most significant bit would move to retain the integer value. this posed a problem later as we're working with bit operations here, so it would end up shifting a negative value instead, thus causing an arithmetical shift which triggered a buffer overflow when the bit tried to be accessed here: https://git.do.srb2.org/STJr/SRB2/-/blob/next/src/doomtype.h?ref_type=heads#L378-L382

~~simply converting the type to UINT32 fixes the problem, which i guess is what we'd want here since MAXTAGS is actually set to UINT16_MAX and not INT16_MAX.~~ turns out that caused issues, so instead, we'll just cast it to UINT16 where we need to (which what we already seem to do in Tag_NextUnused).

Edited Nov 01, 2023 by Hanicef

Fix buffer overflow when tag bits are set

Merge request reports