Absurd texture name in error message

From DoomWiki.org

Revision as of 14:52, 25 February 2014 by Unmaker (talk | contribs) (some more info (hope i got it right))

When a map has a missing flat or texture, the game aborts with an error message, either R_FlatNumForName: %s not found or R_TextureNumForName: %s not found.

In their data structures in memory, sidedefs pack the upper, middle, and lower texture names (in that order) in arrays of eight characters, without using a separator:

typedef struct
    short    textureoffset;
    short    rowoffset;
    char     toptexture[8];
    char     bottomtexture[8];
    char     midtexture[8];
    short    sector;
} mapsidedef_t;

Sectors pack floor and ceiling flat names in a similar way:

typedef	struct
    short    floorheight;
    short    ceilingheight;
    char     floorpic[8];
    char     ceilingpic[8];
    short    lightlevel;
    short    special;
    short    tag;
} mapsector_t;

When a texture or flat is missing, the error string is printed using the offending texture's name to be inserted as the %s token. Since C uses null-terminated strings, if the texture or flat name is full (it uses all eight characters available) then the formatting function will keep adding the next characters in memory until it finds a null byte.

For example, if a sidedef is given a non-existent upper texture with a name using all eight characters, then the name of the next texture in order (middle texture) will be appended (regardless of whether it is missing or not). If that one is also full, the lower texture name will be appended too. And if the lower texture name is full, garbage characters will be added as the sidedef's sector number is processed, followed by the offsets, texture names, and sector number of the next sidedef, and so on, until a null byte is finally encountered, preferably before a buffer overflow happens.