[Scummvm-cvs-logs] CVS: scummvm/scumm gfx.cpp,2.396,2.397

Max Horn fingolfin at users.sourceforge.net
Wed Mar 9 13:10:47 CET 2005


Update of /cvsroot/scummvm/scummvm/scumm
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv9526

Modified Files:
	gfx.cpp 
Log Message:
Stricter offset verification in drawBitmap; but be more generous if we encounter a violation and just generate a warning (should fix bug #795214)

Index: gfx.cpp
===================================================================
RCS file: /cvsroot/scummvm/scummvm/scumm/gfx.cpp,v
retrieving revision 2.396
retrieving revision 2.397
diff -u -d -r2.396 -r2.397
--- gfx.cpp	6 Mar 2005 23:36:37 -0000	2.396
+++ gfx.cpp	9 Mar 2005 21:10:16 -0000	2.397
@@ -1375,20 +1375,29 @@
 		} else if (_vm->_version == 2) {
 			// Do nothing here for V2 games - drawing was already handled.
 		} else {
-			uint32 offset;
+			// Do some input verification and make sure the strip/strip offset
+			// are actually valid. Normally, this should never be a problem,
+			// but if e.g. a savegame gets corrupted, we can easily get into
+			// trouble here. See also bug #795214.
+			int offset = -1, smapLen;
 			if (_vm->_features & GF_16COLOR) {
-				offset = READ_LE_UINT16(smap_ptr + stripnr * 2 + 2);
-				assert(offset < READ_LE_UINT16(smap_ptr));
-				drawStripEGA(dstPtr, vs->pitch, smap_ptr + READ_LE_UINT16(smap_ptr + stripnr * 2 + 2), height);
+				smapLen = READ_LE_UINT16(smap_ptr);
+				if (stripnr * 2 + 2 < smapLen)
+					offset = READ_LE_UINT16(smap_ptr + stripnr * 2 + 2);
 			} else if (_vm->_features & GF_SMALL_HEADER) {
-				offset = READ_LE_UINT32(smap_ptr + stripnr * 4 + 4);
-				assert(offset < READ_LE_UINT32(smap_ptr));
-				useOrDecompress = decompressBitmap(dstPtr, vs->pitch, smap_ptr + offset, height);
+				smapLen = READ_LE_UINT32(smap_ptr);
+				if (stripnr * 4 + 4 < smapLen)
+					offset = READ_LE_UINT32(smap_ptr + stripnr * 4 + 4);
 			} else {
-				offset = READ_LE_UINT32(smap_ptr + stripnr * 4 + 8);
-				assert(offset < READ_BE_UINT32(smap_ptr));
-				useOrDecompress = decompressBitmap(dstPtr, vs->pitch, smap_ptr + offset, height);
+				smapLen = READ_BE_UINT32(smap_ptr);
+				if (stripnr * 4 + 8 < smapLen)
+					offset = READ_LE_UINT32(smap_ptr + stripnr * 4 + 8);
 			}
+			if (offset < 0 || offset >= smapLen) {
+				warning("drawBitmap: Trying to draw a non-existant strip");
+				return;
+			}
+			useOrDecompress = decompressBitmap(dstPtr, vs->pitch, smap_ptr + offset, height);
 		}
 
 		CHECK_HEAP;
@@ -1643,6 +1652,11 @@
 
 bool Gdi::decompressBitmap(byte *dst, int dstPitch, const byte *src, int numLinesToProcess) {
 	assert(numLinesToProcess);
+	
+	if (_vm->_features & GF_16COLOR) {
+		drawStripEGA(dst, dstPitch, src, numLinesToProcess);
+		return false;
+	}
 
 	byte code = *src++;
 	bool useOrDecompress = false;





More information about the Scummvm-git-logs mailing list