TorqueGameEngines/Torque3D
1
0
Fork 0
mirror of https://github.com/TorqueGameEngines/Torque3D.git synced 2026-02-23 00:23:46 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix possible array overrun.

Browse source 
We should clamp the index value to the size of the weaponMountNode[], which is ShapeBase::MaxMountedImages (4) and SceneObject::NumMountPoints = 31.
This commit is contained in:
bank 2014-10-16 19:39:25 +04:00 committed by Daniel Buckmaster
parent c23f3fbd9f
commit d9c5670e93
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Engine/source/T3D/turret/turretShape.cpp
View file

@ -1155,7 +1155,7 @@ void TurretShape::unpackUpdate(NetConnection *connection, BitStream *stream)
void TurretShape::getWeaponMountTransform( S32 index, const MatrixF &xfm, MatrixF *outMat )
{
// Returns mount point to world space transform
if ( index >= 0 && index < SceneObject::NumMountPoints) {
if ( index >= 0 && index < ShapeBase::MaxMountedImages) {
S32 ni = mDataBlock->weaponMountNode[index];
if (ni != -1) {
MatrixF mountTransform = mShapeInstance->mNodeTransforms[ni];
@ -1180,7 +1180,7 @@ void TurretShape::getWeaponMountTransform( S32 index, const MatrixF &xfm, Matrix
void TurretShape::getRenderWeaponMountTransform( F32 delta, S32 mountPoint, const MatrixF &xfm, MatrixF *outMat )
{
// Returns mount point to world space transform
if ( mountPoint >= 0 && mountPoint < SceneObject::NumMountPoints) {
if ( mountPoint >= 0 && mountPoint < ShapeBase::MaxMountedImages) {
S32 ni = mDataBlock->weaponMountNode[mountPoint];
if (ni != -1) {
MatrixF mountTransform = mShapeInstance->mNodeTransforms[ni];