From b4bb4db12bf9a6bdc12246e82c8fc54337f98e6a Mon Sep 17 00:00:00 2001
From: toaster <rollerorbital@gmail.com>
Date: Mon, 26 May 2025 21:25:06 +0100
Subject: [PATCH] skinref_t: Don't dereference out-of-range

- Misjudged the boundary conditions as `numskins == MAXSKINS` is valid
- Internal version of public MR !113, credit Alu Folie for bringing attention to the area of error
---
 src/g_gamedata.cpp | 2 +-
 src/k_menudraw.c   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/g_gamedata.cpp b/src/g_gamedata.cpp
index 1fd9e3ab3..be218c5ca 100644
--- a/src/g_gamedata.cpp
+++ b/src/g_gamedata.cpp
@@ -214,7 +214,7 @@ void srb2::save_ng_gamedata()
 			{
 				newrecords.bestskin = String(skinref.unloaded->name);
 			}
-			else
+			else if (skinref.id < numskins)
 			{
 				newrecords.bestskin = String(skins[skinref.id].name);
 			}
diff --git a/src/k_menudraw.c b/src/k_menudraw.c
index 61853ece5..45465504a 100644
--- a/src/k_menudraw.c
+++ b/src/k_menudraw.c
@@ -3029,7 +3029,7 @@ fixed_t M_DrawCupWinData(INT32 rankx, INT32 ranky, cupheader_t *cup, UINT8 diffi
 	patch_t *charPat = NULL;
 
 	if ((windata->best_skin.unloaded != NULL)
-		|| (windata->best_skin.id > numskins))
+		|| (windata->best_skin.id >= numskins))
 	{
 		colormap = NULL;