Numeric overflow crash in tall areas

All versions of the Doom engine from v0.9 to v1.9, including Raven's Heretic and Hexen, have exhibited limitations with tall areas. This sometimes simply manifested as rendering glitches (such as the screen filling up with a horizon-like flat), but more often than not, the game crashed. Although not commonly known, these limitations can begin to manifest as early as 2500 units' difference between floor and ceiling.

Although Doom in theory should be able to handle areas between -32768 and 32767, limitations arise when large numbers must be added or multiplied together. In order to save memory and to achieve better cache performance, Doom scaled down texture mapping coordinates by 12 bits in order to fit them into a clipping array made up of 16-bit "short" integers. For normal situations this works fine, but if the result of a clipping operation yields a value too small (less than -32767), the game engine forces this out-of-range value into the clipping array and ends up with a very large value instead.

Very large values in the clipping array are equivalent to telling the game engine to draw off the bottom of the screen, and in interest of efficiency, no bounds checking is done on values retrieved from the arrays. This can cause any of Doom's drawing routines to run past the boundaries of the framebuffer, and it may also cause a loop in the function [code]R_MakeSpans[/code] to run out of bounds on the [code]spanstart[/code] array and overwrite most of Doom's static variable area (also known as the BSS segment). Any of the three different ways in which this can crash will result in a Venetian blind crash.