mewmew
commented
2 years ago Triggered as follows:
int AddMissile(..., int mitype=MIT_IDENTIFY, ...) {
...
missile[mi]._miAnimType = missiledata[mitype].mFileNum; // mFileNum=MFILE_NONE (255) for identify.
...
if (missile[mi]._miAnimType == MFILE_NONE || misfiledata[missile[mi]._miAnimType].mAnimFAmt < 8) {
SetMissDir(mi, 0); // NOTE: SetMissDir invoked with _miAnimType == MFILE_NONE.
} else {
SetMissDir(mi, midir);
}
}
void SetMissDir(int mi, int dir) {
missile[mi]._mimfnum = dir;
SetMissAnim(mi, missile[mi]._miAnimType);
}
void SetMissAnim(int mi, int animtype) {
int dir = missile[mi]._mimfnum;
missile[mi]._miAnimType = animtype;
missile[mi]._miAnimFlags = misfiledata[animtype].mFlags; // BUGFIX: buffer overflow for MFILE_NONE (255).
missile[mi]._miAnimData = misfiledata[animtype].mAnimData[dir]; // BUGFIX: buffer overflow for MFILE_NONE (255).
missile[mi]._miAnimDelay = misfiledata[animtype].mAnimDelay[dir]; // BUGFIX: buffer overflow for MFILE_NONE (255).
missile[mi]._miAnimLen = misfiledata[animtype].mAnimLen[dir]; // BUGFIX: buffer overflow for MFILE_NONE (255).
missile[mi]._miAnimWidth = misfiledata[animtype].mAnimWidth[dir]; // BUGFIX: buffer overflow for MFILE_NONE (255).
missile[mi]._miAnimWidth2 = misfiledata[animtype].mAnimWidth2[dir]; // BUGFIX: buffer overflow for MFILE_NONE (255).
missile[mi]._miAnimCnt = 0;
missile[mi]._miAnimFrame = 1;
}
A buffer overflow is triggered when casting Identify (or any other spell which has mFileNum set to 255).