Buffer overflow in `R_GenerateLookup`
Rua opened this issue · 0 comments
Rua commented
Version of Chocolate Doom: current master
Concerning the following line of the R_GenerateLookup
function:
colofs[x] = LONG(realpatch->columnofs[x-x1])+3;
The columnfs
field of the patch_t
struct is a statically sized array of length 8. But the index x-x1
is often greater than 7, so it indexes past the end of the array. This was there in the original Id source code too, apparently never caused problems?