[Scummvm-cvs-logs] CVS: scummvm/scumm gfx.cpp,2.391,2.392

Max Horn fingolfin at users.sourceforge.net
Mon Feb 28 12:22:06 CET 2005


Update of /cvsroot/scummvm/scummvm/scumm
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv29002

Modified Files:
	gfx.cpp 
Log Message:
Perform some validation before using GFX strip offset (see also bug #795214)

Index: gfx.cpp
===================================================================
RCS file: /cvsroot/scummvm/scummvm/scumm/gfx.cpp,v
retrieving revision 2.391
retrieving revision 2.392
diff -u -d -r2.391 -r2.392
--- gfx.cpp	25 Feb 2005 20:14:57 -0000	2.391
+++ gfx.cpp	28 Feb 2005 20:20:57 -0000	2.392
@@ -1371,12 +1371,19 @@
 		} else if (_vm->_version == 2) {
 			// Do nothing here for V2 games - drawing was already handled.
 		} else {
+			int offset;
 			if (_vm->_features & GF_16COLOR) {
+				offset = READ_LE_UINT16(smap_ptr + stripnr * 2 + 2);
+				assert(offset < READ_LE_UINT16(smap_ptr));
 				drawStripEGA(dstPtr, vs->pitch, smap_ptr + READ_LE_UINT16(smap_ptr + stripnr * 2 + 2), height);
 			} else if (_vm->_features & GF_SMALL_HEADER) {
-				useOrDecompress = decompressBitmap(dstPtr, vs->pitch, smap_ptr + READ_LE_UINT32(smap_ptr + stripnr * 4 + 4), height);
+				offset = READ_LE_UINT32(smap_ptr + stripnr * 4 + 4);
+				assert(offset < READ_LE_UINT32(smap_ptr));
+				useOrDecompress = decompressBitmap(dstPtr, vs->pitch, smap_ptr + offset, height);
 			} else {
-				useOrDecompress = decompressBitmap(dstPtr, vs->pitch, smap_ptr + READ_LE_UINT32(smap_ptr + stripnr * 4 + 8), height);
+				offset = READ_LE_UINT32(smap_ptr + stripnr * 4 + 8);
+				assert(offset < READ_BE_UINT32(smap_ptr));
+				useOrDecompress = decompressBitmap(dstPtr, vs->pitch, smap_ptr + offset, height);
 			}
 		}
 





More information about the Scummvm-git-logs mailing list