From 8356e5a5200fe0dcb02b3b80252ee47109e7c5a1 Mon Sep 17 00:00:00 2001 From: Robert Crossfield Date: Sun, 24 May 2026 12:13:09 +1000 Subject: [PATCH] Guard Amiga hill sprite copy against short buffers --- Source/Amiga/Graphics_Amiga.cpp | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Source/Amiga/Graphics_Amiga.cpp b/Source/Amiga/Graphics_Amiga.cpp index 6bb66364..093d5e94 100644 --- a/Source/Amiga/Graphics_Amiga.cpp +++ b/Source/Amiga/Graphics_Amiga.cpp @@ -292,6 +292,13 @@ void cGraphics_Amiga::Load_Hill_Data() { mImageHillSprites = Decode_Image("hills", 64); mImageHillSprites.mData->resize(mImageHillBackground.GetHeader()->ScreenSize() * (mImageHillBackground.GetHeader()->mPlanes + 30)); + // Legacy code below writes to fixed offsets in the hill sprite buffer. + // Ensure the decoded image is large enough before using those offsets. + constexpr size_t kHillSpriteMinSize = 0x42A0E; + if (mImageHillSprites.mData->size() < kHillSpriteMinSize) { + return; + } + // A5A7E uint8* a0 = mImageHillSprites.mData->data() + (29 * 40); uint8* a1 = mImageHillSprites.mData->data() + 0x390EE + 0x3E8;