From 2b7b405ad9a88056560b4d77dd7aecc2770156a8 Mon Sep 17 00:00:00 2001 From: polyesterswing Date: Sat, 18 Nov 2023 22:44:46 +0530 Subject: [PATCH] SLUDGE: Fix out of bounds read in Z-Buffer code When window dimensions and scene dimensions are not equal, an out of bounds read occurred. In frasse, if you were to go up, left and then left again, you will arrive on a scene with a mountain. This scene uses a z-buffer wider than the screen width. This caused issues with the existing z-buffer code. --- engines/sludge/zbuffer.cpp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/engines/sludge/zbuffer.cpp b/engines/sludge/zbuffer.cpp index d36d9c03ccb..9c26241a6d4 100644 --- a/engines/sludge/zbuffer.cpp +++ b/engines/sludge/zbuffer.cpp @@ -172,7 +172,7 @@ void GraphicsManager::drawSpriteToZBuffer(int x, int y, uint8 depth, const Graph byte *target = (byte *)_renderSurface.getBasePtr(x1 + x, y1 + y); const byte *source = (const byte *)surface.getBasePtr(x1, y1); - if (depth > _zBufferSurface[(y1 + y) * _sceneWidth + (x1 + x)]) { + if (depth > _zBufferSurface[(y1 + y) * _winWidth + (x1 + x)]) { if (source[0] == 0xff) { // Completely opaque, so copy RGB values over @@ -193,8 +193,8 @@ void GraphicsManager::drawZBuffer(int x, int y, bool upsidedown) { fillZBuffer(0); - for (uint y1 = y; y1 < _zBuffer->height + y; y1++) { - for (uint x1 = x; x1 < _zBuffer->width + x; x1++) { + for (uint y1 = y; y1 < _winHeight + y; y1++) { + for (uint x1 = x; x1 < _winWidth + x; x1++) { uint8 z = 0; @@ -205,8 +205,8 @@ void GraphicsManager::drawZBuffer(int x, int y, bool upsidedown) { } - if ( z > _zBufferSurface[y1 * _winWidth + x1]) - _zBufferSurface[y1 * _winWidth + x1] = z; + if ( z > _zBufferSurface[(y1 - y) * _winWidth + (x1 - x)]) + _zBufferSurface[(y1 - y) * _winWidth + (x1 - x)] = z; } }