From efd01708565a78c6fe51c31e9f3147ea18260719 Mon Sep 17 00:00:00 2001
From: James R <justsomejames2@gmail.com>
Date: Sat, 3 Feb 2024 00:58:27 -0800
Subject: [PATCH] R_DrawMaskedColumn: set texheight to column length

- In R_DrawColumnTemplate, texheight is used to switch
  between a non-PO2 rasterizer and a more efficient PO2
  rasterizer.
- There is bounds checking on the non-PO2 version (in the
  form of sourcelength) but not on the PO2 version.
- texheight was set to the sprite patch height, which may
  be taller than the column (sourcelength), leading to a
  read out of bounds.
---
 src/r_things.cpp | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/r_things.cpp b/src/r_things.cpp
index 3c4385f29..239ab99a8 100644
--- a/src/r_things.cpp
+++ b/src/r_things.cpp
@@ -689,6 +689,7 @@ void R_DrawMaskedColumn(drawcolumndata_t* dc, column_t *column, column_t *bright
 		{
 			dc->source = (UINT8 *)column + 3;
 			dc->sourcelength = column->length;
+			dc->texheight = column->length;
 			if (brightmap != NULL)
 			{
 				dc->brightmap = (UINT8 *)brightmap + 3;
@@ -775,6 +776,7 @@ void R_DrawFlippedMaskedColumn(drawcolumndata_t* dc, column_t *column, column_t
 		{
 			dc->source = static_cast<UINT8*>(ZZ_Alloc(column->length));
 			dc->sourcelength = column->length;
+			dc->texheight = column->length;
 			for (s = (UINT8 *)column+2+column->length, d = dc->source; d < dc->source+column->length; --s)
 				*d++ = *s;