[Scummvm-cvs-logs] scummvm master -> a0dbe45a454f8b64efb784131b13b942ee060675

digitall digitall at scummvm.org
Fri Nov 25 07:35:23 CET 2011


This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .

Summary:
a0dbe45a45 DRASCULA: Add fix for crash/OOB memory accesses in bug #3440895


Commit: a0dbe45a454f8b64efb784131b13b942ee060675
    https://github.com/scummvm/scummvm/commit/a0dbe45a454f8b64efb784131b13b942ee060675
Author: D G Turner (digitall at scummvm.org)
Date: 2011-11-24T22:30:10-08:00

Commit Message:
DRASCULA: Add fix for crash/OOB memory accesses in bug #3440895

This bug is "DRASCULA-IT: Crash/graphic glitch at castle towers".
The crash was due to width and height values being passed to
copyBackground() being invalid due to out of bounds read from
the factor_red array. This adds debugging statements and fixes
the crash by clipping accesses to the maximum index of factor_red.

This doesn't however fix the observed GFX glitch, but stops it being
a segfault.

Changed paths:
    engines/drascula/graphics.cpp
    engines/drascula/talk.cpp



diff --git a/engines/drascula/graphics.cpp b/engines/drascula/graphics.cpp
index f9f6c1f..590561f 100644
--- a/engines/drascula/graphics.cpp
+++ b/engines/drascula/graphics.cpp
@@ -154,6 +154,7 @@ void DrasculaEngine::showFrame(Common::SeekableReadStream *stream, bool firstFra
 }
 
 void DrasculaEngine::copyBackground(int xorg, int yorg, int xdes, int ydes, int width, int height, byte *src, byte *dest) {
+	debug(1, "DrasculaEngine::copyBackground(xorg:%d, yorg:%d, xdes:%d, ydes:%d width:%d height:%d, src, dest)", xorg, yorg, xdes, ydes, width,height);
 	dest += xdes + ydes * 320;
 	src += xorg + yorg * 320;
 	/* Unoptimized code
diff --git a/engines/drascula/talk.cpp b/engines/drascula/talk.cpp
index c97191f..a326852 100644
--- a/engines/drascula/talk.cpp
+++ b/engines/drascula/talk.cpp
@@ -372,6 +372,7 @@ void DrasculaEngine::talk(int index) {
 }
 
 void DrasculaEngine::talk(const char *said, const char *filename) {
+	debug(1, "DrasculaEngine::talk(said:\"%s\", filename:\"%s\")", said, filename);
 	int talkOffset = 0;
 	if (currentChapter != 2)
 		talkOffset = 1;
@@ -414,8 +415,8 @@ void DrasculaEngine::talk(const char *said, const char *filename) {
 		if (currentChapter == 2)
 			copyBackground(curX, curY, OBJWIDTH + 1, 0, curWidth, talkHeight - 1, screenSurface, drawSurface3);
 		else
-			copyBackground(curX, curY, OBJWIDTH + 1, 0, (int)(((float)curWidth / 100) * factor_red[curY + curHeight]),
-					   (int)(((float)(talkHeight - 1) / 100) * factor_red[curY + curHeight]),
+			copyBackground(curX, curY, OBJWIDTH + 1, 0, (int)(((float)curWidth / 100) * factor_red[MIN(201, curY + curHeight)]),
+					   (int)(((float)(talkHeight - 1) / 100) * factor_red[MIN(201, curY + curHeight)]),
 						   screenSurface, drawSurface3);
 
 		moveCharacters();
@@ -424,8 +425,8 @@ void DrasculaEngine::talk(const char *said, const char *filename) {
 			if (!strcmp(menuBackground, "99.alg") || !strcmp(menuBackground, "994.alg"))
 				copyBackground(OBJWIDTH + 1, 0, curX, curY, curWidth, talkHeight - 1, drawSurface3, screenSurface);
 		} else {
-			copyBackground(OBJWIDTH + 1, 0, curX, curY, (int)(((float)curWidth / 100) * factor_red[curY + curHeight]),
-					   (int)(((float)(talkHeight - 1) / 100) * factor_red[curY + curHeight]),
+			copyBackground(OBJWIDTH + 1, 0, curX, curY, (int)(((float)curWidth / 100) * factor_red[MIN(201, curY + curHeight)]),
+					   (int)(((float)(talkHeight - 1) / 100) * factor_red[MIN(201, curY + curHeight)]),
 						   drawSurface3, screenSurface);
 		}
 
@@ -434,8 +435,8 @@ void DrasculaEngine::talk(const char *said, const char *filename) {
 				copyRect(x_talk_izq[face], y_mask_talk, curX + 8, curY - 1, talkWidth, talkHeight,
 						extraSurface, screenSurface);
 			else
-				reduce_hare_chico(x_talk_izq[face], y_mask_talk, curX + (int)((8.0f / 100) * factor_red[curY + curHeight]),
-						curY, talkWidth, talkHeight, factor_red[curY + curHeight],
+				reduce_hare_chico(x_talk_izq[face], y_mask_talk, curX + (int)((8.0f / 100) * factor_red[MIN(201, curY + curHeight)]),
+						curY, talkWidth, talkHeight, factor_red[MIN(201, curY + curHeight)],
 						extraSurface, screenSurface);
 
 			updateRefresh();
@@ -444,8 +445,8 @@ void DrasculaEngine::talk(const char *said, const char *filename) {
 				copyRect(x_talk_dch[face], y_mask_talk, curX + 12, curY, talkWidth, talkHeight,
 					extraSurface, screenSurface);
 			else
-				reduce_hare_chico(x_talk_dch[face], y_mask_talk, curX + (int)((12.0f / 100) * factor_red[curY + curHeight]),
-					curY, talkWidth, talkHeight, factor_red[curY + curHeight], extraSurface, screenSurface);
+				reduce_hare_chico(x_talk_dch[face], y_mask_talk, curX + (int)((12.0f / 100) * factor_red[MIN(201, curY + curHeight)]),
+					curY, talkWidth, talkHeight, factor_red[MIN(201, curY + curHeight)], extraSurface, screenSurface);
 			updateRefresh();
 		} else if (trackProtagonist == 2) {
 			if (currentChapter == 2)
@@ -453,8 +454,8 @@ void DrasculaEngine::talk(const char *said, const char *filename) {
 					frontSurface, screenSurface);
 			else
 				reduce_hare_chico(x_talk_izq[face], y_mask_talk,
-						talkOffset + curX + (int)((12.0f / 100) * factor_red[curY + curHeight]),
-						curY, talkWidth, talkHeight, factor_red[curY + curHeight],
+						talkOffset + curX + (int)((12.0f / 100) * factor_red[MIN(201, curY + curHeight)]),
+						curY, talkWidth, talkHeight, factor_red[MIN(201, curY + curHeight)],
 						frontSurface, screenSurface);
 			updateRefresh();
 		} else if (trackProtagonist == 3) {
@@ -463,8 +464,8 @@ void DrasculaEngine::talk(const char *said, const char *filename) {
 					frontSurface, screenSurface);
 			else
 				reduce_hare_chico(x_talk_dch[face], y_mask_talk,
-						talkOffset + curX + (int)((8.0f / 100) * factor_red[curY + curHeight]),
-						curY, talkWidth,talkHeight, factor_red[curY + curHeight],
+						talkOffset + curX + (int)((8.0f / 100) * factor_red[MIN(201, curY + curHeight)]),
+						curY, talkWidth,talkHeight, factor_red[MIN(201, curY + curHeight)],
 						frontSurface, screenSurface);
 			updateRefresh();
 		}






More information about the Scummvm-git-logs mailing list