[Scummvm-cvs-logs] CVS: scummvm/scumm gfx.cpp,2.396,2.397
Max Horn
fingolfin at users.sourceforge.net
Wed Mar 9 13:10:47 CET 2005
Update of /cvsroot/scummvm/scummvm/scumm
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv9526
Modified Files:
gfx.cpp
Log Message:
Stricter offset verification in drawBitmap; but be more generous if we encounter a violation and just generate a warning (should fix bug #795214)
Index: gfx.cpp
===================================================================
RCS file: /cvsroot/scummvm/scummvm/scumm/gfx.cpp,v
retrieving revision 2.396
retrieving revision 2.397
diff -u -d -r2.396 -r2.397
--- gfx.cpp 6 Mar 2005 23:36:37 -0000 2.396
+++ gfx.cpp 9 Mar 2005 21:10:16 -0000 2.397
@@ -1375,20 +1375,29 @@
} else if (_vm->_version == 2) {
// Do nothing here for V2 games - drawing was already handled.
} else {
- uint32 offset;
+ // Do some input verification and make sure the strip/strip offset
+ // are actually valid. Normally, this should never be a problem,
+ // but if e.g. a savegame gets corrupted, we can easily get into
+ // trouble here. See also bug #795214.
+ int offset = -1, smapLen;
if (_vm->_features & GF_16COLOR) {
- offset = READ_LE_UINT16(smap_ptr + stripnr * 2 + 2);
- assert(offset < READ_LE_UINT16(smap_ptr));
- drawStripEGA(dstPtr, vs->pitch, smap_ptr + READ_LE_UINT16(smap_ptr + stripnr * 2 + 2), height);
+ smapLen = READ_LE_UINT16(smap_ptr);
+ if (stripnr * 2 + 2 < smapLen)
+ offset = READ_LE_UINT16(smap_ptr + stripnr * 2 + 2);
} else if (_vm->_features & GF_SMALL_HEADER) {
- offset = READ_LE_UINT32(smap_ptr + stripnr * 4 + 4);
- assert(offset < READ_LE_UINT32(smap_ptr));
- useOrDecompress = decompressBitmap(dstPtr, vs->pitch, smap_ptr + offset, height);
+ smapLen = READ_LE_UINT32(smap_ptr);
+ if (stripnr * 4 + 4 < smapLen)
+ offset = READ_LE_UINT32(smap_ptr + stripnr * 4 + 4);
} else {
- offset = READ_LE_UINT32(smap_ptr + stripnr * 4 + 8);
- assert(offset < READ_BE_UINT32(smap_ptr));
- useOrDecompress = decompressBitmap(dstPtr, vs->pitch, smap_ptr + offset, height);
+ smapLen = READ_BE_UINT32(smap_ptr);
+ if (stripnr * 4 + 8 < smapLen)
+ offset = READ_LE_UINT32(smap_ptr + stripnr * 4 + 8);
}
+ if (offset < 0 || offset >= smapLen) {
+ warning("drawBitmap: Trying to draw a non-existant strip");
+ return;
+ }
+ useOrDecompress = decompressBitmap(dstPtr, vs->pitch, smap_ptr + offset, height);
}
CHECK_HEAP;
@@ -1643,6 +1652,11 @@
bool Gdi::decompressBitmap(byte *dst, int dstPitch, const byte *src, int numLinesToProcess) {
assert(numLinesToProcess);
+
+ if (_vm->_features & GF_16COLOR) {
+ drawStripEGA(dst, dstPitch, src, numLinesToProcess);
+ return false;
+ }
byte code = *src++;
bool useOrDecompress = false;
More information about the Scummvm-git-logs
mailing list