From d9c5670e935d79b18e5957a69f8be4e16fc04079 Mon Sep 17 00:00:00 2001
From: bank <bank@deelogic.net>
Date: Thu, 16 Oct 2014 19:39:25 +0400
Subject: [PATCH] Fix possible array overrun. We should clamp the index value
 to the size of the weaponMountNode[], which is ShapeBase::MaxMountedImages
 (4) and SceneObject::NumMountPoints = 31.

---
 Engine/source/T3D/turret/turretShape.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Engine/source/T3D/turret/turretShape.cpp b/Engine/source/T3D/turret/turretShape.cpp
index 5d53fabe8..b824d75cd 100644
--- a/Engine/source/T3D/turret/turretShape.cpp
+++ b/Engine/source/T3D/turret/turretShape.cpp
@@ -1155,7 +1155,7 @@ void TurretShape::unpackUpdate(NetConnection *connection, BitStream *stream)
 void TurretShape::getWeaponMountTransform( S32 index, const MatrixF &xfm, MatrixF *outMat )
 {
    // Returns mount point to world space transform
-   if ( index >= 0 && index < SceneObject::NumMountPoints) {
+   if ( index >= 0 && index < ShapeBase::MaxMountedImages) {
       S32 ni = mDataBlock->weaponMountNode[index];
       if (ni != -1) {
          MatrixF mountTransform = mShapeInstance->mNodeTransforms[ni];
@@ -1180,7 +1180,7 @@ void TurretShape::getWeaponMountTransform( S32 index, const MatrixF &xfm, Matrix
 void TurretShape::getRenderWeaponMountTransform( F32 delta, S32 mountPoint, const MatrixF &xfm, MatrixF *outMat )
 {
    // Returns mount point to world space transform
-   if ( mountPoint >= 0 && mountPoint < SceneObject::NumMountPoints) {
+   if ( mountPoint >= 0 && mountPoint < ShapeBase::MaxMountedImages) {
       S32 ni = mDataBlock->weaponMountNode[mountPoint];
       if (ni != -1) {
          MatrixF mountTransform = mShapeInstance->mNodeTransforms[ni];