Fix buffer overflow when tag bits are set (!2194) · Merge requests · STJr / SRB2

The source project of this merge request has been removed.

did another run with ASan and found an issue with mtags causing buffer overflows. turns out the cause was due to a promotion from a INT16 to signed int on a value with it's most significant bit set. since that value is negative, when it got promoted to a signed int, the most significant bit would move to retain the integer value. this posed a problem later as we're working with bit operations here, so it would end up shifting a negative value instead, thus causing an arithmetical shift which triggered a buffer overflow when the bit tried to be accessed here: https://git.do.srb2.org/STJr/SRB2/-/blob/next/src/doomtype.h?ref_type=heads#L378-L382

to solve this, we can just cast it to UINT16 where we need to (which what we already seem to do in Tag_NextUnused).

(also, ignore what happened in !2192 (closed), i kinda screwed up that PR :P)

Edited Nov 01, 2023 by Hanicef

Fix buffer overflow when tag bits are set

Merge request reports