Skip to content
/ PuzzleScript Public

'movementMask' out of bound access in generated function 'repositionEntitiesAtCell()' #1120

New issue
New issue
Open
#1121
Open
'movementMask' out of bound access in generated function 'repositionEntitiesAtCell()'#1120
#1121
@caogtaa

Description

@caogtaa
caogtaa
opened on Jan 19, 2026

For a 2 layers game, following function is created as 'repositionEntitiesAtCell()'.

One single int32 is enough to store 2 layers' movements bit mask, but the function is accessing movementMask.data[0+1], which returns undefined.

This issue is harmless, because

  1. undefined << x returns 0 and won't break the logic.
  2. For games have complex layers, data[1] has no chances to 'polute' layerMovement in unexpected way because of the left shift and &31 operations.

However, the bug in BitVec is worth fixing to prevent further risk.

(function anonymous(level,positionIndex
) {
'use strict';
    const movementMask = level.getMovements(positionIndex);
    if ((true&&(movementMask.data[0]===0))){
        return false;
    }

    let moved = false;
    {
        const layerMovement = 31&(movementMask.data[0] >>> 0);
        if (layerMovement !== 0) {
            const thismoved = repositionEntitiesOnLayer(positionIndex, 0, layerMovement);
            if (thismoved) {
                movementMask.data[0] &= ~(layerMovement<<0);

                moved = true;
            }
        }
    }{
        const layerMovement = 31&((movementMask.data[0] >>> 5) | (movementMask.data[0+1] << (32-5)));
        if (layerMovement !== 0) {
            const thismoved = repositionEntitiesOnLayer(positionIndex, 1, layerMovement);
            if (thismoved) {
                movementMask.data[0] &= ~(layerMovement<<5);
movementMask.data[1] &= ~(layerMovement>>>27);

                moved = true;
            }
        }
    }

    
        level.movements[positionIndex * STRIDE_MOV + 0] = movementMask.data[0];
    
        
    //corresponding object stuff in repositionEntitiesOnLayer
    const colIndex=(positionIndex/this.height)|0;
    const rowIndex=(positionIndex%level.height);
    level.colCellContents_Movements[colIndex].data[0] |= movementMask.data[0];

    level.rowCellContents_Movements[rowIndex].data[0] |= movementMask.data[0];

    level.mapCellContents_Movements.data[0] |= movementMask.data[0];

    
    return moved;
})

A level to reproduce the issue. (Or any simple level has at least 2 layers)

title Test Out Of Bound Access
author caogtaa

========
OBJECTS
========
Background .
black

Player P 
white

=======
LEGEND
=======

=======
SOUNDS
=======

================
COLLISIONLAYERS
================
Background
P

======
RULES     
======     

==============
WINCONDITIONS
==============

=======     
LEVELS
=======
.....
.....
..P..
.....
.....

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions