Clamp Amiga DrawPixel plane count to prevent stack buffer overflow by segrax · Pull Request #113 · OpenFodder/openfodder

segrax · 2026-05-24T01:50:32Z

The Amiga DrawPixel routine used a fixed uint8 Planes[5] stack buffer while iterating up to mBMHD_Current->mPlanes parsed from untrusted ILBM BMHD data, allowing out-of-bounds stack writes for malformed assets.
The animated Amiga intro invokes this path automatically on first run, increasing exposure to attacker-controlled local data files.

Introduces constexpr uint8 MaxSupportedPlanes = 5 and a local PlaneCount variable that is clamped to that maximum.
Both the plane-load loop and the per-pixel compose loop now iterate to PlaneCount instead of mBMHD_Current->mPlanes.
The change is limited to cGraphics_Amiga::DrawPixel in Source/Amiga/Graphics_Amiga.cpp and preserves rendering behavior for valid 5-plane assets.

No project unit tests or CI were executed in this environment; the patch was applied and committed successfully.
Verified the change via git diff, nl, and file inspection of Source/Amiga/Graphics_Amiga.cpp to confirm the bounds check and loop updates were added.
The fix is minimal and removes the stack-buffer-overflow root cause by preventing indexing past the local Planes buffer.

Fix DrawPixel plane-count bounds in Amiga intro renderer

a2eac4f

segrax added codex aardvark labels May 24, 2026 — with ChatGPT Codex Connector

segrax added the codex label May 24, 2026

segrax merged commit e412180 into master May 24, 2026
6 checks passed

segrax deleted the codex/fix-amiga-intro-drawpixel-vulnerability branch May 24, 2026 02:35

Provide feedback