From e92032d224963a526efe18ec3c233a5bcaa88f42 Mon Sep 17 00:00:00 2001
From: Iru Cai <mytbk920423@gmail.com>
Date: Sat, 18 Aug 2018 10:37:37 +0800
Subject: a buggy function that can crash the game

---
 csrc/buggy_func.c | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 csrc/buggy_func.c

(limited to 'csrc/buggy_func.c')

diff --git a/csrc/buggy_func.c b/csrc/buggy_func.c
new file mode 100644
index 0000000..a963b33
--- /dev/null
+++ b/csrc/buggy_func.c
@@ -0,0 +1,36 @@
+struct st
+{
+	int16_t f0;
+	int16_t f2;
+	int16_t f4;
+	int16_t f6;
+	int16_t * f8;
+	int16_t data[0];
+};
+
+static inline mem_copy_words(void *dst, void *src, size_t n)
+{
+	memcpy(dst, src, n*2);
+}
+
+int fcn_00451a97(struct st *a1, struct st *a2, int a3, int a4, int a5, int a6)
+{
+	if (a2 == NULL) {
+		a2 = malloc(a5 * a6 * 2 + 12);
+	}
+	
+	a2->f0 = a5; /* number of words(16b) per block? */
+	a2->f2 = a6; /* number of blocks? */
+	a2->f4 = a2->f6 = 0;
+	a2->f8 = a2->data;
+
+	int16_t *ebx = &a1->f8[a1->f0 * a4 + a3];
+	int16_t *esi = a2->f8;
+
+	for (int i = 0; i < a6; i++) {
+		mem_copy_words(esi, ebx, a5); /* copy a5 words(16b) from ebx to esi */
+		esi = &esi[a5];
+		ebx = &ebx[a1->f0];
+	}
+	return a2;
+}
-- 
cgit v1.2.3