[Scummvm-cvs-logs] CVS: scummvm/scumm imuse_digi.cpp,1.109,1.110 bundle.cpp,1.51,1.52
Max Horn
fingolfin at users.sourceforge.net
Thu Jan 1 19:26:58 CET 2004
Update of /cvsroot/scummvm/scummvm/scumm
In directory sc8-pr-cvs1:/tmp/cvs-serv12004
Modified Files:
imuse_digi.cpp bundle.cpp
Log Message:
Fix for bug #869045 (DIG: Crash in bundle decoder); t'was a buffer overflow
Index: imuse_digi.cpp
===================================================================
RCS file: /cvsroot/scummvm/scummvm/scumm/imuse_digi.cpp,v
retrieving revision 1.109
retrieving revision 1.110
diff -u -d -r1.109 -r1.110
--- imuse_digi.cpp 29 Dec 2003 13:41:20 -0000 1.109
+++ imuse_digi.cpp 2 Jan 2004 03:20:07 -0000 1.110
@@ -1294,7 +1294,7 @@
ptr = _musicBundleBufOutput;
- for (k = 0, l = _currentSampleBundleMusic; l < num; k++) {
+ for (k = 0, l = _currentSampleBundleMusic; l < num && (_offsetSampleBundleMusic < _outputMixerSize + header_size); k++) {
length = _bundle->decompressMusicSampleByName(_nameBundleMusic, l, (_musicBundleBufOutput + ((k * 0x2000) + _offsetBufBundleMusic)));
_offsetSampleBundleMusic += length;
@@ -1338,13 +1338,13 @@
l++;
_currentSampleBundleMusic = l;
- if (_offsetSampleBundleMusic >= _outputMixerSize + header_size) {
- memcpy(_musicBundleBufFinal, (_musicBundleBufOutput + header_size), _outputMixerSize);
- _offsetBufBundleMusic = _offsetSampleBundleMusic - _outputMixerSize - header_size;
- memcpy(_musicBundleBufOutput, (_musicBundleBufOutput + (_outputMixerSize + header_size)), _offsetBufBundleMusic);
- _offsetSampleBundleMusic = _offsetBufBundleMusic;
- break;
- }
+ }
+
+ if (_offsetSampleBundleMusic >= _outputMixerSize + header_size) {
+ memcpy(_musicBundleBufFinal, (_musicBundleBufOutput + header_size), _outputMixerSize);
+ _offsetBufBundleMusic = _offsetSampleBundleMusic - _outputMixerSize - header_size;
+ memcpy(_musicBundleBufOutput, (_musicBundleBufOutput + (_outputMixerSize + header_size)), _offsetBufBundleMusic);
+ _offsetSampleBundleMusic = _offsetBufBundleMusic;
}
if (_currentSampleBundleMusic == num) {
Index: bundle.cpp
===================================================================
RCS file: /cvsroot/scummvm/scummvm/scumm/bundle.cpp,v
retrieving revision 1.51
retrieving revision 1.52
diff -u -d -r1.51 -r1.52
--- bundle.cpp 25 Dec 2003 21:33:30 -0000 1.51
+++ bundle.cpp 2 Jan 2004 03:20:07 -0000 1.52
@@ -318,8 +318,7 @@
}
int32 Bundle::decompressMusicSampleByIndex(int32 index, int32 number, byte *comp_final) {
- int32 i = 0;
- int tag, num, final_size;
+ int final_size;
byte *comp_input;
if (_musicFile.isOpen() == false) {
@@ -328,6 +327,7 @@
}
if (_lastSong != index) {
+ int i, tag, num;
_musicFile.seek(_bundleMusicTable[index].offset, SEEK_SET);
tag = _musicFile.readUint32BE();
num = _musicFile.readUint32BE();
More information about the Scummvm-git-logs
mailing list