Closed ChadNedzlek closed 7 months ago
The "preset" for AnimationSequence only has room for 4 triggered animations, but "animationCount" is a full byte.
In this line: https://github.com/GameWithPixels/DiceFirmware/blob/main/src/animations/animation_sequence.cpp#L74C37-L74C51 there is no bounds checking, so it's going to just read forward into memory (which might be the next sent animation) and begin executing animation commands based on those.
The loop should probably only go to min(4, preset->animationCount) to at least avoid the unbounded read.
min(4, preset->animationCount)
The "preset" for AnimationSequence only has room for 4 triggered animations, but "animationCount" is a full byte.
In this line: https://github.com/GameWithPixels/DiceFirmware/blob/main/src/animations/animation_sequence.cpp#L74C37-L74C51 there is no bounds checking, so it's going to just read forward into memory (which might be the next sent animation) and begin executing animation commands based on those.
The loop should probably only go to
min(4, preset->animationCount)to at least avoid the unbounded read.