From 4ecac1570f3039c7b34f704ff337421f96c2c6e7 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Mon, 9 Sep 2024 23:57:34 +0200
Subject: [PATCH 1/3] sndlib: avoid shifting negative values

sndlib/mixer.cpp:496:61: runtime error: left shift of negative value -1
sndlib/mixer.cpp:333:74: runtime error: left shift of negative value -1
sndlib/mixer.cpp:331:115: runtime error: left shift of negative value -2

x<<y is UB for y<0 or x<0. Using a multiply side-steps this (and compilers
optimize multiplies to the same ASM anyway).
---
 sndlib/mixer.cpp | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/sndlib/mixer.cpp b/sndlib/mixer.cpp
index af9bda39..7e913cbb 100644
--- a/sndlib/mixer.cpp
+++ b/sndlib/mixer.cpp
@@ -325,12 +325,15 @@ void software_mixer::StreamMixer(char *ptr, int len) {
               } else
                 sample = sample_16bit[samples_played];
             } else {
+              // Can't left-shift negative values without UB,
+              // so we'll use multiply to the same effect.
               if (samples_played & 0x0001) {
                 // Notes: (<<7) is from a (<<8) - (>>1)
                 // Notes: (-256) is from (-128) + (-128)
-                sample = ((int)sample_8bit[samples_played ^ 0x0001] + (int)sample_8bit[samples_played + 1] - 256) << 7;
+                sample = (sample_8bit[samples_played ^ 0x0001] - 128 +
+                          sample_8bit[samples_played + 1] - 128) * 0x80;
               } else
-                sample = (((int)sample_8bit[samples_played]) - (int)128) << 8;
+                sample = (sample_8bit[samples_played] - 128) * 0x100;
             }
 
             samples_played++;
@@ -375,21 +378,21 @@ void software_mixer::StreamMixer(char *ptr, int len) {
             } else {
               switch (mod_pos) {
               case 0:
-                sample = ((((int)sample_8bit[samples_played]) - 128) << 8);
+                sample = (sample_8bit[samples_played] - 128) * 0x100;
                 break;
               case 1:
-                sample = (((((int)sample_8bit[samples_played - 1]) - 128) << 8) * 3 +
-                          ((((int)sample_8bit[samples_played + 3]) - 128) << 8)) >>
+                sample = ((sample_8bit[samples_played - 1] - 128) * 0x100 * 3 +
+                          (sample_8bit[samples_played + 3] - 128) * 0x100) >>
                          2;
                 break;
               case 2:
-                sample = (((((int)sample_8bit[samples_played - 2]) - 128) << 8) +
-                          ((((int)sample_8bit[samples_played + 2]) - 128) << 8)) >>
+                sample = ((sample_8bit[samples_played - 2] - 128) * 0x100 +
+                          (sample_8bit[samples_played + 2] - 128) * 0x100) >>
                          1;
                 break;
               case 3:
-                sample = (((((int)sample_8bit[samples_played - 3]) - 128) << 8) +
-                          ((((int)sample_8bit[samples_played + 1]) - 128) << 8) * 3) >>
+                sample = (((sample_8bit[samples_played - 3] - 128) * 0x100) +
+                          ((sample_8bit[samples_played + 1] - 128) * 0x100) * 3) >>
                          2;
                 break;
               }
@@ -489,11 +492,9 @@ inline void opti_8m_mix(uint8_t *cur_sample_8bit, const int num_write, int &samp
   int16_t *mb = mixer_buffer16;
 
   for (i = 0; i < (num_write << 1); i += 2) {
-    int16_t sample;
     int l_sample;
     int r_sample;
-
-    sample = (((int16_t)(*cur_sample_8bit)) - (int16_t)128) << 8;
+    int16_t sample = (*cur_sample_8bit - 128) * 0x100;
     cur_sample_8bit++;
 
     l_sample = *mb + (sample * l_volume);

From 46787709d7b20c843a4ba83e2f9692c6f64d6ab7 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Tue, 10 Sep 2024 00:42:11 +0200
Subject: [PATCH 2/3] lib: avoid shifting negative values in GR_RGB

$GIT/lib/grdefs.h:85:67: runtime error: left shift of negative value -1
$GIT/lib/grdefs.h:85:79: runtime error: left shift of negative value -1

This happens because of:

grtext/grtext.cpp:966
966           col = GR_RGB(str[i + 1], str[i + 2], str[i + 3]);
(gdb) p str
$2 = 0x46437fe <Grtext_buffer+62> "\001\377\377\377Max. Trans-Atmospheric"
(gdb) ptyp str
type = char *

Make GR_RGB take uint8_ts, which causes the desired conversion at
GR_RGB callsites.
---
 lib/grdefs.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/grdefs.h b/lib/grdefs.h
index 6d4c8869..4c2a7b96 100644
--- a/lib/grdefs.h
+++ b/lib/grdefs.h
@@ -50,7 +50,7 @@
 #ifndef GRDEFS_H
 #define GRDEFS_H
 
-#include "pstypes.h"
+#include <cstdint>
 
 //	bit depth info
 #define BPP_TO_BYTESPP(x) (((x) + 7) >> 3)
@@ -82,9 +82,9 @@ static const ddgr_color GR_NULL = 0xffffffff, // don't do a thing with this.
 #define GR_COLOR_CHAR 1 // ASCII 1 and (r,g,b) changes current text color in string.
 
 //	MACROS
-static inline ddgr_color GR_RGB(int r, int g, int b) { return ((r << 16) + (g << 8) + b); }
+static inline ddgr_color GR_RGB(uint8_t r, uint8_t g, uint8_t b) { return ((r << 16) + (g << 8) + b); }
 
-static inline uint16_t GR_RGB16(int r, int g, int b) { return (((r >> 3) << 10) + ((g >> 3) << 5) + (b >> 3)); }
+static inline uint16_t GR_RGB16(uint8_t r, uint8_t g, uint8_t b) { return (((r >> 3) << 10) + ((g >> 3) << 5) + (b >> 3)); }
 
 static inline uint16_t GR_COLOR_TO_16(ddgr_color c) {
   int r, g, b;

From 1d6fe057858e0bb371776d84aa8bccef8732ebd4 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Tue, 10 Sep 2024 00:53:09 +0200
Subject: [PATCH 3/3] Resolve out-of-bounds access during level 1

Descent3/aipath.cpp:663:40: runtime error: index -1 out of bounds for type
'short unsigned int [5]'

Fixes: bb1d6f6f857cf37322cb89fd1470776aa3d8f317
---
 Descent3/aipath.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Descent3/aipath.cpp b/Descent3/aipath.cpp
index cddaa4c0..540b4feb 100644
--- a/Descent3/aipath.cpp
+++ b/Descent3/aipath.cpp
@@ -662,7 +662,7 @@ static inline bool AIPathAddDPathNode(ai_path_info *aip, int *slot, int *cur_nod
   AIDynamicPath[*slot].pos[*cur_node] = *pos;
   AIDynamicPath[*slot].roomnum[(*cur_node)++] = room;
 
-  if (aip->num_paths >= 0)
+  if (aip->num_paths > 0)
     aip->path_end_node[aip->num_paths - 1] = *cur_node - 1;
 
   return true;