From 99d8626f4a313471410db421891e90fe768cd929 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafa=C5=82=20Mikrut?= <mikrutrafal54@gmail.com>
Date: Wed, 20 Nov 2019 16:22:16 +0100
Subject: [PATCH] Fix some overflows and unitialized variables

---
 core/io/packet_peer.cpp                      | 1 +
 core/math/camera_matrix.cpp                  | 4 ++++
 core/project_settings.cpp                    | 2 ++
 core/typedefs.h                              | 3 +++
 core/ustring.cpp                             | 2 +-
 drivers/gles2/rasterizer_canvas_gles2.cpp    | 4 ++++
 drivers/gles2/shader_gles2.h                 | 1 +
 editor/doc/doc_data.h                        | 3 +++
 editor/editor_sectioned_inspector.cpp        | 4 ++--
 editor/plugins/canvas_item_editor_plugin.cpp | 2 ++
 editor/script_create_dialog.cpp              | 1 +
 editor/script_editor_debugger.cpp            | 1 +
 scene/2d/tile_map.cpp                        | 4 ++--
 scene/animation/tween.cpp                    | 2 ++
 scene/gui/range.cpp                          | 2 ++
 scene/gui/tree.h                             | 2 +-
 scene/resources/audio_stream_sample.cpp      | 5 +++--
 17 files changed, 35 insertions(+), 8 deletions(-)

diff --git a/core/io/packet_peer.cpp b/core/io/packet_peer.cpp
index 821a04ebad..23dfc58385 100644
--- a/core/io/packet_peer.cpp
+++ b/core/io/packet_peer.cpp
@@ -279,6 +279,7 @@ Ref<StreamPeer> PacketPeerStream::get_stream_peer() const {
 
 void PacketPeerStream::set_input_buffer_max_size(int p_max_size) {
 
+	ERR_FAIL_COND_MSG(p_max_size < 0, "Max size of input buffer size cannot be smaller than 0.");
 	//warning may lose packets
 	ERR_FAIL_COND_MSG(ring_buffer.data_left(), "Buffer in use, resizing would cause loss of data.");
 	ring_buffer.resize(nearest_shift(p_max_size + 4));
diff --git a/core/math/camera_matrix.cpp b/core/math/camera_matrix.cpp
index 30c0cab909..b9b0f4ac54 100644
--- a/core/math/camera_matrix.cpp
+++ b/core/math/camera_matrix.cpp
@@ -183,6 +183,10 @@ void CameraMatrix::set_orthogonal(real_t p_size, real_t p_aspect, real_t p_znear
 
 void CameraMatrix::set_frustum(real_t p_left, real_t p_right, real_t p_bottom, real_t p_top, real_t p_near, real_t p_far) {
 
+	ERR_FAIL_COND(p_right <= p_left);
+	ERR_FAIL_COND(p_top <= p_bottom);
+	ERR_FAIL_COND(p_far <= p_near);
+
 	real_t *te = &matrix[0][0];
 	real_t x = 2 * p_near / (p_right - p_left);
 	real_t y = 2 * p_near / (p_top - p_bottom);
diff --git a/core/project_settings.cpp b/core/project_settings.cpp
index 7704c7b377..ba5cdd782f 100644
--- a/core/project_settings.cpp
+++ b/core/project_settings.cpp
@@ -525,6 +525,8 @@ Error ProjectSettings::_load_settings_binary(const String &p_path) {
 		set(key, value);
 	}
 
+	f->close();
+	memdelete(f);
 	return OK;
 }
 
diff --git a/core/typedefs.h b/core/typedefs.h
index 767a97ac38..42f34c73cb 100644
--- a/core/typedefs.h
+++ b/core/typedefs.h
@@ -174,6 +174,9 @@ inline void __swap_tmpl(T &x, T &y) {
 
 static _FORCE_INLINE_ unsigned int next_power_of_2(unsigned int x) {
 
+	if (x == 0)
+		return 0;
+
 	--x;
 	x |= x >> 1;
 	x |= x >> 2;
diff --git a/core/ustring.cpp b/core/ustring.cpp
index 0f82ca7e15..25930db201 100644
--- a/core/ustring.cpp
+++ b/core/ustring.cpp
@@ -1416,7 +1416,7 @@ bool String::parse_utf8(const char *p_utf8, int p_len) {
 
 			if (skip == 0) {
 
-				uint8_t c = *ptrtmp;
+				uint8_t c = *ptrtmp >= 0 ? *ptrtmp : uint8_t(256 + *ptrtmp);
 
 				/* Determine the number of characters in sequence */
 				if ((c & 0x80) == 0)
diff --git a/drivers/gles2/rasterizer_canvas_gles2.cpp b/drivers/gles2/rasterizer_canvas_gles2.cpp
index e34705f7b7..52dfb44a9d 100644
--- a/drivers/gles2/rasterizer_canvas_gles2.cpp
+++ b/drivers/gles2/rasterizer_canvas_gles2.cpp
@@ -749,6 +749,10 @@ void RasterizerCanvasGLES2::_canvas_item_render_commands(Item *p_item, Item *cur
 					WARN_PRINT("NinePatch without texture not supported yet in GLES2 backend, skipping.");
 					continue;
 				}
+				if (tex->width == 0 || tex->height == 0) {
+					WARN_PRINT("Cannot set empty texture to NinePatch.");
+					continue;
+				}
 
 				Size2 texpixel_size(1.0 / tex->width, 1.0 / tex->height);
 
diff --git a/drivers/gles2/shader_gles2.h b/drivers/gles2/shader_gles2.h
index 2456a83d35..c7a6465194 100644
--- a/drivers/gles2/shader_gles2.h
+++ b/drivers/gles2/shader_gles2.h
@@ -119,6 +119,7 @@ private:
 		bool ok;
 		Version() {
 			code_version = 0;
+			frag_id = 0;
 			ok = false;
 			uniform_location = NULL;
 		}
diff --git a/editor/doc/doc_data.h b/editor/doc/doc_data.h
index 6d601f0dce..b722c324d6 100644
--- a/editor/doc/doc_data.h
+++ b/editor/doc/doc_data.h
@@ -78,6 +78,9 @@ public:
 		bool operator<(const PropertyDoc &p_prop) const {
 			return name < p_prop.name;
 		}
+		PropertyDoc() {
+			overridden = false;
+		}
 	};
 
 	struct ClassDoc {
diff --git a/editor/editor_sectioned_inspector.cpp b/editor/editor_sectioned_inspector.cpp
index abff8190af..1993f24b24 100644
--- a/editor/editor_sectioned_inspector.cpp
+++ b/editor/editor_sectioned_inspector.cpp
@@ -177,7 +177,7 @@ String SectionedInspector::get_full_item_path(const String &p_item) {
 void SectionedInspector::edit(Object *p_object) {
 
 	if (!p_object) {
-		obj = -1;
+		obj = 0;
 		sections->clear();
 
 		filter->set_edited(NULL);
@@ -308,7 +308,7 @@ EditorInspector *SectionedInspector::get_inspector() {
 }
 
 SectionedInspector::SectionedInspector() :
-		obj(-1),
+		obj(0),
 		sections(memnew(Tree)),
 		filter(memnew(SectionedInspectorFilter)),
 		inspector(memnew(EditorInspector)),
diff --git a/editor/plugins/canvas_item_editor_plugin.cpp b/editor/plugins/canvas_item_editor_plugin.cpp
index 7170ce30cc..336d908637 100644
--- a/editor/plugins/canvas_item_editor_plugin.cpp
+++ b/editor/plugins/canvas_item_editor_plugin.cpp
@@ -5262,6 +5262,8 @@ CanvasItemEditor::CanvasItemEditor(EditorNode *p_editor) {
 	drag_to = Vector2();
 	dragged_guide_pos = Point2();
 	dragged_guide_index = -1;
+	is_hovering_h_guide = false;
+	is_hovering_v_guide = false;
 	panning = false;
 	pan_pressed = false;
 
diff --git a/editor/script_create_dialog.cpp b/editor/script_create_dialog.cpp
index 6522cf4d02..08bf52ab57 100644
--- a/editor/script_create_dialog.cpp
+++ b/editor/script_create_dialog.cpp
@@ -852,6 +852,7 @@ ScriptCreateDialog::ScriptCreateDialog() {
 	hb->add_child(path_button);
 	gc->add_child(memnew(Label(TTR("Path:"))));
 	gc->add_child(hb);
+	re_check_path = false;
 
 	/* Dialog Setup */
 
diff --git a/editor/script_editor_debugger.cpp b/editor/script_editor_debugger.cpp
index afbd8832f2..76dcd10b50 100644
--- a/editor/script_editor_debugger.cpp
+++ b/editor/script_editor_debugger.cpp
@@ -2600,6 +2600,7 @@ ScriptEditorDebugger::ScriptEditorDebugger(EditorNode *p_editor) {
 	p_editor->get_undo_redo()->set_method_notify_callback(_method_changeds, this);
 	p_editor->get_undo_redo()->set_property_notify_callback(_property_changeds, this);
 	live_debug = true;
+	camera_override = OVERRIDE_NONE;
 	last_path_id = false;
 	error_count = 0;
 	warning_count = 0;
diff --git a/scene/2d/tile_map.cpp b/scene/2d/tile_map.cpp
index 173214dfe4..d75d8cfc55 100644
--- a/scene/2d/tile_map.cpp
+++ b/scene/2d/tile_map.cpp
@@ -1233,8 +1233,8 @@ void TileMap::_set_tile_data(const PoolVector<int> &p_data) {
 		}
 #endif
 
-		int16_t x = decode_uint16(&local[0]);
-		int16_t y = decode_uint16(&local[2]);
+		uint16_t x = decode_uint16(&local[0]);
+		uint16_t y = decode_uint16(&local[2]);
 		uint32_t v = decode_uint32(&local[4]);
 		bool flip_h = v & (1 << 29);
 		bool flip_v = v & (1 << 30);
diff --git a/scene/animation/tween.cpp b/scene/animation/tween.cpp
index a7d936fcd3..ce3f2b3b1a 100644
--- a/scene/animation/tween.cpp
+++ b/scene/animation/tween.cpp
@@ -63,6 +63,8 @@ void Tween::_add_pending_command(StringName p_key, const Variant &p_arg1, const
 		count = 2;
 	else if (p_arg1.get_type() != Variant::NIL)
 		count = 1;
+	else
+		count = 0;
 
 	// Add the specified arguments to the command
 	// TODO: Make this a switch statement?
diff --git a/scene/gui/range.cpp b/scene/gui/range.cpp
index 9c016b5a50..362697b4ad 100644
--- a/scene/gui/range.cpp
+++ b/scene/gui/range.cpp
@@ -173,6 +173,8 @@ void Range::set_as_ratio(double p_value) {
 }
 double Range::get_as_ratio() const {
 
+	ERR_FAIL_COND_V_MSG(Math::is_equal_approx(get_max(), get_min()), 0.0, "Cannot get ratio when minimum and maximum value are equal.");
+
 	if (shared->exp_ratio && get_min() >= 0) {
 
 		double exp_min = get_min() == 0 ? 0.0 : Math::log(get_min()) / Math::log((double)2);
diff --git a/scene/gui/tree.h b/scene/gui/tree.h
index 361830173b..d5227f6e65 100644
--- a/scene/gui/tree.h
+++ b/scene/gui/tree.h
@@ -159,7 +159,7 @@ protected:
 	//bind helpers
 	Dictionary _get_range_config(int p_column) {
 		Dictionary d;
-		double min, max, step;
+		double min = 0.0, max = 0.0, step = 0.0;
 		get_range_config(p_column, min, max, step);
 		d["min"] = min;
 		d["max"] = max;
diff --git a/scene/resources/audio_stream_sample.cpp b/scene/resources/audio_stream_sample.cpp
index 5b61654c5d..286f9e37cd 100644
--- a/scene/resources/audio_stream_sample.cpp
+++ b/scene/resources/audio_stream_sample.cpp
@@ -95,8 +95,8 @@ void AudioStreamPlaybackSample::do_resample(const Depth *p_src, AudioFrame *p_ds
 	// this function will be compiled branchless by any decent compiler
 
 	int32_t final, final_r, next, next_r;
-	while (amount--) {
-
+	while (amount) {
+		amount--;
 		int64_t pos = offset >> MIX_FRAC_BITS;
 		if (is_stereo && !is_ima_adpcm)
 			pos <<= 1;
@@ -444,6 +444,7 @@ int AudioStreamSample::get_loop_end() const {
 
 void AudioStreamSample::set_mix_rate(int p_hz) {
 
+	ERR_FAIL_COND(p_hz == 0);
 	mix_rate = p_hz;
 }
 int AudioStreamSample::get_mix_rate() const {