Merge pull request #114 from OpenFodder/codex/fix-amiga-hills.lbm-load-vulnerability

segrax · web-flow · commit ad2837d422df · 2026-05-24T12:27:16.000+10:00
Guard Amiga hill sprite copy against short buffers
diff --git a/Source/Amiga/Graphics_Amiga.cpp b/Source/Amiga/Graphics_Amiga.cpp
@@ -292,6 +292,13 @@ void cGraphics_Amiga::Load_Hill_Data() {
 	mImageHillSprites = Decode_Image("hills", 64);
 	mImageHillSprites.mData->resize(mImageHillBackground.GetHeader()->ScreenSize() * (mImageHillBackground.GetHeader()->mPlanes + 30));
 
+	// Legacy code below writes to fixed offsets in the hill sprite buffer.
+	// Ensure the decoded image is large enough before using those offsets.
+	constexpr size_t kHillSpriteMinSize = 0x42A0E;
+	if (mImageHillSprites.mData->size() < kHillSpriteMinSize) {
+		return;
+	}
+
 	// A5A7E
 	uint8* a0 = mImageHillSprites.mData->data() + (29 * 40);
 	uint8* a1 = mImageHillSprites.mData->data() + 0x390EE + 0x3E8;
