From 328abd1d4502bc716d13f2ba5ff04274f15efed0 Mon Sep 17 00:00:00 2001 From: Duncan Frost Date: Sun, 17 May 2015 07:58:51 +0100 Subject: [PATCH] Fix out of bounds errors Changed get_surface_element to bubble up the null mapElement to be taken care of by the calling function. Added checks on the track functions to ensure that invalid coordinates do not call get_surface_element_at. Fixes #1066 and Fixes #1057 --- src/ride/track.c | 13 +++++++++++++ src/world/map.c | 6 ++++++ 2 files changed, 19 insertions(+) diff --git a/src/ride/track.c b/src/ride/track.c index a808878544..cf01633a9a 100644 --- a/src/ride/track.c +++ b/src/ride/track.c @@ -1450,6 +1450,10 @@ int track_place_maze(sint16 x, sint16 y, sint16 z, uint8 rideIndex, uint8** trac continue; if (mapCoord.y > 0x1FFF) continue; + if (mapCoord.x < 0) + continue; + if (mapCoord.y < 0) + continue; rct_map_element* map_element = map_get_surface_element_at(mapCoord.x / 32, mapCoord.y / 32); @@ -1645,8 +1649,17 @@ int track_place_ride(sint16 x, sint16 y, sint16 z, uint8 rideIndex, uint8** trac if (tile.y > 0x1FFF) continue; + if (tile.x < 0) + continue; + + if (tile.y < 0) + continue; + rct_map_element* map_element = map_get_surface_element_at(tile.x / 32, tile.y / 32); + if (map_element == NULL) + return 0; + int height = map_element->base_height * 8; if (map_element->properties.surface.slope & 0xF){ height += 16; diff --git a/src/world/map.c b/src/world/map.c index 67c6aaacb4..35e3eda5a5 100644 --- a/src/world/map.c +++ b/src/world/map.c @@ -164,6 +164,9 @@ rct_map_element *map_get_surface_element_at(int x, int y) { rct_map_element *mapElement = map_get_first_element_at(x, y); + if (mapElement == NULL) + return NULL; + // Find the first surface element while (map_element_get_type(mapElement) != MAP_ELEMENT_TYPE_SURFACE) { if (map_element_is_last_for_tile(mapElement)) @@ -178,6 +181,9 @@ rct_map_element *map_get_surface_element_at(int x, int y) rct_map_element* map_get_path_element_at(int x, int y, int z){ rct_map_element *mapElement = map_get_first_element_at(x, y); + if (mapElement == NULL) + return NULL; + uint8 mapFound = 0; // Find the path element at known z do {