CmdSetup: Fix OOB reads

jetrotal · jetrotal · commit 44f8b097d792 · 2025-01-28T14:30:18.000-03:00
Using Ghabry's proposed solution. Fixes an Issue similar to #3320
diff --git a/src/game_interpreter.cpp b/src/game_interpreter.cpp
@@ -647,9 +647,9 @@ bool Game_Interpreter::ExecuteCommand(lcf::rpg::EventCommand const& com) {
 		case Cmd::ChangeHeroTitle:
 			return CommandChangeHeroTitle(com);
 		case Cmd::ChangeSpriteAssociation:
-			return CommandChangeSpriteAssociation(com);
+			return CmdSetup<&Game_Interpreter::CommandChangeSpriteAssociation, 3>(com);
 		case Cmd::ChangeActorFace:
-			return CommandChangeActorFace(com);
+			return CmdSetup<&Game_Interpreter::CommandChangeActorFace, 4>(com);
 		case Cmd::ChangeVehicleGraphic:
 			return CommandChangeVehicleGraphic(com);
 		case Cmd::ChangeSystemBGM:
@@ -2110,16 +2110,8 @@ bool Game_Interpreter::CommandChangeSpriteAssociation(lcf::rpg::EventCommand con
 	}
 
 	auto file = ToString(CommandStringOrVariableBitfield(com, 3, 1, 4));
-
-	int idx = 0;
-	if (com.parameters.size() > 1) {
-		idx = ValueOrVariableBitfield(com, 3, 2, 1);
-	}
-
-	bool transparent = false;
-	if (com.parameters.size() > 2) {
-		transparent = com.parameters[2] != 0;
-	}
+	int idx = ValueOrVariableBitfield(com, 3, 2, 1);
+	bool transparent = com.parameters[2] != 0;
 
 	actor->SetSprite(file, idx, transparent);
 	Main_Data::game_player->ResetGraphic();
@@ -2129,15 +2121,14 @@ bool Game_Interpreter::CommandChangeSpriteAssociation(lcf::rpg::EventCommand con
 bool Game_Interpreter::CommandChangeActorFace(lcf::rpg::EventCommand const& com) { // code 10640
 	int id = ValueOrVariableBitfield(com, 2, 0, 0);
 	Game_Actor* actor = Main_Data::game_actors->GetActor(id);
-
 	if (!actor) {
 		Output::Warning("CommandChangeActorFace: Invalid actor ID {}", id);
 		return true;
 	}
 
 	actor->SetFace(
-			ToString(CommandStringOrVariableBitfield(com, 2, 1, 3)),
-			ValueOrVariableBitfield(com, 2, 2, 1));
+		ToString(CommandStringOrVariableBitfield(com, 2, 1, 3)),
+		ValueOrVariableBitfield(com, 2, 2, 1));
 	return true;
 }
 
diff --git a/src/game_interpreter_shared.h b/src/game_interpreter_shared.h
@@ -23,6 +23,7 @@
 #include <lcf/rpg/movecommand.h>
 #include <lcf/rpg/saveeventexecframe.h>
 #include <string_view.h>
+#include "compiler.h"
 
 class Game_Character;
 class Game_BaseInterpreterContext;
@@ -167,6 +168,25 @@ class Game_BaseInterpreterContext {
 	inline int ValueOrVariableBitfield(lcf::rpg::EventCommand const& com, int mode_idx, int shift, int val_idx) const {
 		return Game_Interpreter_Shared::ValueOrVariableBitfield<validate_patches, support_indirect_and_switch, support_scopes, support_named>(com, mode_idx, shift, val_idx, *this);
 	}
+
+	template<typename RetType, typename ClsType, typename... Args>
+	ClsType MemFnCls(RetType(ClsType::*)(Args...));
+
+	template<auto CMDFN, size_t MIN_SIZE>
+	bool CmdSetup(lcf::rpg::EventCommand const& com) {
+		using ClassType = decltype(MemFnCls(CMDFN));
+
+		if (EP_UNLIKELY(com.parameters.size() < MIN_SIZE)) {
+			// Slow resizing of the parameters
+			// Only happens for malformed commands
+			auto ncom = com;
+			ncom.parameters = lcf::DBArray<int32_t>(MIN_SIZE);
+			std::copy(com.parameters.begin(), com.parameters.end(), ncom.parameters.begin());
+			return (static_cast<ClassType*>(this)->*CMDFN)(ncom);
+		}
+
+		return (static_cast<ClassType*>(this)->*CMDFN)(com);
+	}
 };
 
 #endif
