[Scummvm-cvs-logs] scummvm master -> 381e92a576ef05de60c1a90d534785ebd7a112c2

bluegr md5 at scummvm.org
Mon Nov 28 21:37:32 CET 2011


This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .

Summary:
381e92a576 SCI: Added handling of invalid jump offsets (e.g. QFG2, script 260)


Commit: 381e92a576ef05de60c1a90d534785ebd7a112c2
    https://github.com/scummvm/scummvm/commit/381e92a576ef05de60c1a90d534785ebd7a112c2
Author: Filippos Karapetis (md5 at scummvm.org)
Date: 2011-11-28T12:36:58-08:00

Commit Message:
SCI: Added handling of invalid jump offsets (e.g. QFG2, script 260)

Changed paths:
    engines/sci/console.cpp
    engines/sci/engine/scriptdebug.cpp
    engines/sci/engine/vm.cpp



diff --git a/engines/sci/console.cpp b/engines/sci/console.cpp
index b852de7..571d2f8 100644
--- a/engines/sci/console.cpp
+++ b/engines/sci/console.cpp
@@ -2978,7 +2978,8 @@ void Console::printKernelCallsFound(int kernelFuncNum, bool showFoundScripts) {
 					// there is a jump after a ret, we don't stop processing
 					if (opcode == op_bt || opcode == op_bnt || opcode == op_jmp) {
 						uint16 curJmpOffset = offset + (uint16)opparams[0];
-						if (curJmpOffset > maxJmpOffset)
+						// QFG2 has invalid jumps outside the script buffer in script 260
+						if (curJmpOffset > maxJmpOffset && curJmpOffset < script->getScriptSize())
 							maxJmpOffset = curJmpOffset;
 					}
 
diff --git a/engines/sci/engine/scriptdebug.cpp b/engines/sci/engine/scriptdebug.cpp
index ad3f4fb..3faa131 100644
--- a/engines/sci/engine/scriptdebug.cpp
+++ b/engines/sci/engine/scriptdebug.cpp
@@ -296,7 +296,7 @@ bool isJumpOpcode(EngineState *s, reg_t pos, reg_t& jumpTarget) {
 	Script *script_entity = (Script *)mobj;
 
 	const byte *scr = script_entity->getBuf();
-	int scr_size = script_entity->getBufSize();
+	int scr_size = script_entity->getScriptSize();
 
 	if (pos.offset >= scr_size)
 		return false;
@@ -310,7 +310,13 @@ bool isJumpOpcode(EngineState *s, reg_t pos, reg_t& jumpTarget) {
 	case op_bt:
 	case op_bnt:
 	case op_jmp:
-		jumpTarget = pos + bytecount + opparams[0];
+		{
+		reg_t jmpTarget = pos + bytecount + opparams[0];
+		// QFG2 has invalid jumps outside the script buffer in script 260
+		if (jmpTarget.offset >= scr_size)
+			return false;
+		jumpTarget = jmpTarget;
+		}
 		return true;
 	default:
 		return false;
diff --git a/engines/sci/engine/vm.cpp b/engines/sci/engine/vm.cpp
index 6b3a319..226a73b 100644
--- a/engines/sci/engine/vm.cpp
+++ b/engines/sci/engine/vm.cpp
@@ -764,16 +764,28 @@ void run_vm(EngineState *s) {
 			// Branch relative if true
 			if (s->r_acc.offset || s->r_acc.segment)
 				s->xs->addr.pc.offset += opparams[0];
+
+			if (s->xs->addr.pc.offset >= local_script->getScriptSize())
+				error("[VM] op_bt: request to jump past the end of script %d (offset %d, script is %d bytes)",
+					local_script->getScriptNumber(), s->xs->addr.pc.offset, local_script->getScriptSize());
 			break;
 
 		case op_bnt: // 0x18 (24)
 			// Branch relative if not true
 			if (!(s->r_acc.offset || s->r_acc.segment))
 				s->xs->addr.pc.offset += opparams[0];
+
+			if (s->xs->addr.pc.offset >= local_script->getScriptSize())
+				error("[VM] op_bnt: request to jump past the end of script %d (offset %d, script is %d bytes)",
+					local_script->getScriptNumber(), s->xs->addr.pc.offset, local_script->getScriptSize());
 			break;
 
 		case op_jmp: // 0x19 (25)
 			s->xs->addr.pc.offset += opparams[0];
+
+			if (s->xs->addr.pc.offset >= local_script->getScriptSize())
+				error("[VM] op_jmp: request to jump past the end of script %d (offset %d, script is %d bytes)",
+					local_script->getScriptNumber(), s->xs->addr.pc.offset, local_script->getScriptSize());
 			break;
 
 		case op_ldi: // 0x1a (26)






More information about the Scummvm-git-logs mailing list