From eedb24700d73c5485e0f7c35b4b3a8433feef8d0 Mon Sep 17 00:00:00 2001
From: duncanspumpkin <duncans_pumpkin@hotmail.co.uk>
Date: Tue, 2 Apr 2019 18:33:14 +0100
Subject: [PATCH] Fix #8535, #8480. Unintialised variable used to get path
 object.

When you try to mirror a track design that has a path object type that isn't loaded it will try to pass an uninitialised variable as the index of the path object. This will cause a bad pointer to be generated. Fix was to auto set it to zero and to be super careful reset it again to zero in the case when its not available
---
 src/openrct2/ride/TrackDesign.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/openrct2/ride/TrackDesign.cpp b/src/openrct2/ride/TrackDesign.cpp
index 560c804258..b9954db94a 100644
--- a/src/openrct2/ride/TrackDesign.cpp
+++ b/src/openrct2/ride/TrackDesign.cpp
@@ -494,7 +494,7 @@ static void track_design_mirror_scenery(rct_track_td6* td6)
     rct_td6_scenery_element* scenery = td6->scenery_elements;
     for (; scenery != nullptr && scenery->scenery_object.end_flag != 0xFF; scenery++)
     {
-        uint8_t entry_type, entry_index;
+        uint8_t entry_type{ 0 }, entry_index{ 0 };
         if (!find_object_in_entry_group(&scenery->scenery_object, &entry_type, &entry_index))
         {
             entry_type = object_entry_get_type(&scenery->scenery_object);
@@ -502,6 +502,8 @@ static void track_design_mirror_scenery(rct_track_td6* td6)
             {
                 continue;
             }
+
+            entry_index = 0;
         }
 
         rct_scenery_entry* scenery_entry = (rct_scenery_entry*)object_entry_get_chunk(entry_type, entry_index);