gfx_AllocSprite bugs #658
Description
ld hl, (hl) ; hl = malloc
push de
mlt de ; de = width * height
inc de ; +2 to store width and height
inc de ; de = width * height + 2
push de
call _indcallHL ; hl = malloc(width * height + 2)
pop de ; de = width * height + 2
add hl, de ; this should never carry
sbc hl, de ; check if malloc failed (hl == 0)
pop de ; e = width, d = height
ret z ; abort if malloc failed
ld (hl), de ; store width and height
ret
gfx_AllocSprite assumes that the malloc routine won't destroy the stack parameters. However, __simple_malloc does pop bc \ ex (sp), hl \ push bc, which breaks the assumption that add hl, de wouldn't set carry.
There is also another bug where if width * height == 0, then malloc would allocate 2 bytes, but ld (hl), de writes 3 bytes. But then again sprite routines don't handle sprites with zero width/height