[Scummvm-cvs-logs] CVS: scummvm/scumm imuse_digi.cpp,1.109,1.110 bundle.cpp,1.51,1.52

Max Horn fingolfin at users.sourceforge.net
Thu Jan 1 19:26:58 CET 2004


Update of /cvsroot/scummvm/scummvm/scumm
In directory sc8-pr-cvs1:/tmp/cvs-serv12004

Modified Files:
	imuse_digi.cpp bundle.cpp 
Log Message:
Fix for bug #869045 (DIG: Crash in bundle decoder); t'was a buffer overflow

Index: imuse_digi.cpp
===================================================================
RCS file: /cvsroot/scummvm/scummvm/scumm/imuse_digi.cpp,v
retrieving revision 1.109
retrieving revision 1.110
diff -u -d -r1.109 -r1.110
--- imuse_digi.cpp	29 Dec 2003 13:41:20 -0000	1.109
+++ imuse_digi.cpp	2 Jan 2004 03:20:07 -0000	1.110
@@ -1294,7 +1294,7 @@
 
 	ptr = _musicBundleBufOutput;
 
-	for (k = 0, l = _currentSampleBundleMusic; l < num; k++) {
+	for (k = 0, l = _currentSampleBundleMusic; l < num && (_offsetSampleBundleMusic < _outputMixerSize + header_size); k++) {
 		length = _bundle->decompressMusicSampleByName(_nameBundleMusic, l, (_musicBundleBufOutput + ((k * 0x2000) + _offsetBufBundleMusic)));
 		_offsetSampleBundleMusic += length;
 
@@ -1338,13 +1338,13 @@
 		l++;
 		_currentSampleBundleMusic = l;
 
-		if (_offsetSampleBundleMusic >= _outputMixerSize + header_size) {
-			memcpy(_musicBundleBufFinal, (_musicBundleBufOutput + header_size), _outputMixerSize);
-			_offsetBufBundleMusic = _offsetSampleBundleMusic - _outputMixerSize - header_size;
-			memcpy(_musicBundleBufOutput, (_musicBundleBufOutput + (_outputMixerSize + header_size)), _offsetBufBundleMusic);
-			_offsetSampleBundleMusic = _offsetBufBundleMusic;
-			break;
-		}
+	}
+
+	if (_offsetSampleBundleMusic >= _outputMixerSize + header_size) {
+		memcpy(_musicBundleBufFinal, (_musicBundleBufOutput + header_size), _outputMixerSize);
+		_offsetBufBundleMusic = _offsetSampleBundleMusic - _outputMixerSize - header_size;
+		memcpy(_musicBundleBufOutput, (_musicBundleBufOutput + (_outputMixerSize + header_size)), _offsetBufBundleMusic);
+		_offsetSampleBundleMusic = _offsetBufBundleMusic;
 	}
 
 	if (_currentSampleBundleMusic == num) {

Index: bundle.cpp
===================================================================
RCS file: /cvsroot/scummvm/scummvm/scumm/bundle.cpp,v
retrieving revision 1.51
retrieving revision 1.52
diff -u -d -r1.51 -r1.52
--- bundle.cpp	25 Dec 2003 21:33:30 -0000	1.51
+++ bundle.cpp	2 Jan 2004 03:20:07 -0000	1.52
@@ -318,8 +318,7 @@
 }
 
 int32 Bundle::decompressMusicSampleByIndex(int32 index, int32 number, byte *comp_final) {
-	int32 i = 0;
-	int tag, num, final_size;
+	int final_size;
 	byte *comp_input;
 
 	if (_musicFile.isOpen() == false) {
@@ -328,6 +327,7 @@
 	}
 
 	if (_lastSong != index) {
+		int i, tag, num;
 		_musicFile.seek(_bundleMusicTable[index].offset, SEEK_SET);
 		tag = _musicFile.readUint32BE();
 		num = _musicFile.readUint32BE();





More information about the Scummvm-git-logs mailing list