From 23b565cec544e51daf902fba1a2bb4ce0c97ced0 Mon Sep 17 00:00:00 2001 From: Eidolon Date: Tue, 30 Jan 2024 17:01:09 -0600 Subject: [PATCH 1/2] Drop papersprite draws that are too wide This prevents an arithmetic overflow when evaluating xscale, resulting in a negative xscale. --- src/r_things.cpp | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/r_things.cpp b/src/r_things.cpp index 8dcd89df6..d83e61f27 100644 --- a/src/r_things.cpp +++ b/src/r_things.cpp @@ -2081,11 +2081,21 @@ static void R_ProjectSprite(mobj_t *thing) if (x2 < 0) return; - if ((range = x2 - x1) <= 0) + range = x2 - x1; + if (range < 0) + { return; + } range++; // fencepost problem + if (range > 32767) + { + // If the range happens to be too large for fixed_t, + // abort the draw to avoid xscale becoming negative due to arithmetic overflow. + return; + } + scalestep = ((yscale2 - yscale)/range); if (scalestep == 0) From f4b4c664c4c93236c6714c2cebadef35423a503f Mon Sep 17 00:00:00 2001 From: Eidolon Date: Tue, 30 Jan 2024 17:02:17 -0600 Subject: [PATCH 2/2] Clamp lindex during vissprite light calculation Mitigates against negative or very large xscale values causing lindex to evaluate < 0, preventing a potential colormap indexing-related crash. --- src/r_things.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/r_things.cpp b/src/r_things.cpp index d83e61f27..3c4385f29 100644 --- a/src/r_things.cpp +++ b/src/r_things.cpp @@ -2538,8 +2538,8 @@ static void R_ProjectSprite(mobj_t *thing) // diminished light lindex = FixedMul(xscale, LIGHTRESOLUTIONFIX)>>(LIGHTSCALESHIFT); - if (lindex >= MAXLIGHTSCALE) - lindex = MAXLIGHTSCALE-1; + // Mitigate against negative xscale and arithmetic overflow + lindex = std::clamp(lindex, 0, MAXLIGHTSCALE - 1); if (vis->cut & SC_SEMIBRIGHT) lindex = (MAXLIGHTSCALE/2) + (lindex >> 1);