possible type safe error by fysnet · Pull Request #37 · id-Software/DOOM

fysnet · 2026-02-20T23:47:42Z

The code shown below expects weaponowned[] to be an array of integers:

Lines 1316 to 1324 in a77dfb9

    
              // weapons owned 
        
              for(i=0;i<6;i++) 
        
              { 
        
           STlib_initMultIcon(&w_arms[i], 
        
           		   ST_ARMSX+(i%3)*ST_ARMSXSPACE, 
        
           		   ST_ARMSY+(i/3)*ST_ARMSYSPACE, 
        
           		   arms[i], (int *) &plyr->weaponowned[i+1], 
        
           		   &st_armson); 
        
              }

However, weaponowned[] is defined as boolean. No big deal if we assume boolean or a type of enum is the same size as an integer, until you hit the code shown below and now boolean can be defined as bool.

DOOM/linuxdoom-1.10/doomtype.h

Lines 28 to 37 in a77dfb9

    
           #ifndef __BYTEBOOL__ 
        
           #define __BYTEBOOL__ 
        
           // Fixed to use builtin bool type with C++. 
        
           #ifdef __cplusplus 
        
           typedef bool boolean; 
        
           #else 
        
           typedef enum {false, true} boolean; 
        
           #endif 
        
           typedef unsigned char byte; 
        
           #endif

If boolean is now defined as bool, which is compiler specific, but most of the time is an 8-bit byte, the first snippet of code above is now accessing 2- or 4-byte integers instead of 1-byte bools.

When this is the case, when i becomes an index high enough to overflow the memory allocated for weaponowned[], a value other than 0 and 1 will be used.

Here are a few possibilities when bool is defined as a 1-byte char:

If a 2-byte integer, it can now return a value of 0 (0x0000), 1 (0x0001), 256 (0x0100), or 257 (0x0101).
If a 4-byte integer, it can return a value of 0 (0x00000000), 1 (0x00000001), 256 (0x00000100), 257 (0x00000101),
65536 (0x00010000), or a number of other combinations.
When the i index gets large enough to overflow the 9-byte weaponowned[] buffer, the values now become arbitrary and can be any value, really.
Since the (int *) &plyr->weaponowned[i+1] will access at 2- or 4-byte increments, a small value in i will soon overflow the buffer.

The latter three scenarios can and probably will cause a Page Fault Exception, depending on your system, if at the very least not return the value you need.

Simply changing boolean to int below should make sure this doesn't happen.

DOOM/linuxdoom-1.10/d_player.h

Line 119 in a77dfb9

boolean weaponowned[NUMWEAPONS];

possible type safe error

55f04a6

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Comments

possible type safe error#37

possible type safe error#37
fysnet wants to merge 1 commit intoid-Software:masterfrom
fysnet:master

fysnet commented Feb 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant

	// weapons owned
	for(i=0;i<6;i++)
	{
	STlib_initMultIcon(&w_arms[i],
	ST_ARMSX+(i%3)*ST_ARMSXSPACE,
	ST_ARMSY+(i/3)*ST_ARMSYSPACE,
	arms[i], (int *) &plyr->weaponowned[i+1],
	&st_armson);
	}

	#ifndef __BYTEBOOL__
	#define __BYTEBOOL__
	// Fixed to use builtin bool type with C++.
	#ifdef __cplusplus
	typedef bool boolean;
	#else
	typedef enum {false, true} boolean;
	#endif
	typedef unsigned char byte;
	#endif

Comments

Conversation

fysnet commented Feb 20, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant