Project

General

Profile

Bug #870

possible index-out-of-bounds? (dgl_texture.c)

Added by arclore over 12 years ago. Updated almost 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
2010-03-03
% Done:

100%


Description

From line 399:
void GL_GetColorPaletteRGB(DGLuint id, DGLubyte rgb3, ushort idx) {
if(id != 0 && id - 1 < numColorPalettes) {
const gl_colorpalette_t* pal = &colorPalettes[id-1];

if(idx >= pal->num)
VERBOSE(
Con_Message("GL_GetColorPaletteRGB: Warning, color idx %u "
"out of range in palette %u.\n", idx, id))
idx = MINMAX_OF(0, idx, pal->num) * 3;
rgb[CR] = pal->data[idx];
rgb[CG] = pal->data[idx + 1];
rgb[CB] = pal->data[idx + 2];
}
}
elsewhere:
#define MINMAX_OF(a, x, b) ((x) < (a)? (a) : (x) > (b)? (b) : (x))

The ConMessage says that an idx equal to or greater than pal->num is invalid. But the MINMAX_OF macro limits idx to pal->num, INCLUSIVE.
Say pal->num is 5. Based on the code, that means pal->num is [15]. If you pass an idx of 6 to the function, it tells you that it's out of range. But then it goes right ahead and tries to get pal->data15, pal->data16 and pal->data17 anyway. Perhaps it should be MINMAX_OF(0, idx, (pal->num - 1)) * 3 instead?

Labels: OpenGL Renderer

History

#1 Updated by danij over 9 years ago

Fixed for 1.9.0-beta6.9

Also available in: Atom PDF