[Scummvm-cvs-logs] scummvm master -> f94153f07a69e986547391922c8aa85ab0086874

[wjp]

This automated email contains information about 2 new commits which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .

Summary:
8a0e813493 Revert "TOUCHE: Fix buffer overrun. CID 1003934"
f94153f07a TOUCHE: Fix semi-intentional array overrun


Commit: 8a0e8134938435524c79944656edf6807c3a3722
    https://github.com/scummvm/scummvm/commit/8a0e8134938435524c79944656edf6807c3a3722
Author: Willem Jan Palenstijn (wjp at usecode.org)
Date: 2016-02-01T20:17:09+01:00

Commit Message:
Revert "TOUCHE: Fix buffer overrun. CID 1003934"

This reverts commit 9d2cc7ce84107d93d56371e8266cbe2193a7923b.

Changed paths:
    engines/touche/touche.h



diff --git a/engines/touche/touche.h b/engines/touche/touche.h
index 20bf723..3de5b8c 100644
--- a/engines/touche/touche.h
+++ b/engines/touche/touche.h
@@ -102,7 +102,7 @@ struct KeyChar {
 	int16 zPosPrev;
 	int16 prevWalkDataNum;
 	uint16 textColor;
-	int16 inventoryItems[5];
+	int16 inventoryItems[4];
 	int16 money;
 	int16 pointsDataNum;
 	int16 currentWalkBox;


Commit: f94153f07a69e986547391922c8aa85ab0086874
    https://github.com/scummvm/scummvm/commit/f94153f07a69e986547391922c8aa85ab0086874
Author: Willem Jan Palenstijn (wjp at usecode.org)
Date: 2016-02-01T20:21:27+01:00

Commit Message:
TOUCHE: Fix semi-intentional array overrun

op_getInventoryItem/op_setInventoryItem could operate on
inventoryItems[4] while inventoryItems has only 4 elements. This
effectively accesses the 'money' field right behind this array.
Due to a broken assert, this was never detected.

This commit fixes it by redirecting accesses to inventoryItems[4] to
money, and also fixes the assert.

An alternative solution would have been enlarging the array, and
removing the money field, but that would require more changes in the
engine.

Changed paths:
    engines/touche/opcodes.cpp



diff --git a/engines/touche/opcodes.cpp b/engines/touche/opcodes.cpp
index ee7f3a9..2af9428 100644
--- a/engines/touche/opcodes.cpp
+++ b/engines/touche/opcodes.cpp
@@ -610,8 +610,13 @@ void ToucheEngine::op_getInventoryItem() {
 		keyChar = _currentKeyCharNum;
 	}
 	assert(keyChar >= 0 && keyChar < NUM_KEYCHARS);
-	assert(item < sizeof(_keyCharsTable[keyChar].inventoryItems));
-	*_script.stackDataPtr = _keyCharsTable[keyChar].inventoryItems[item];
+	if (item == 4) {
+		// item 4 is the 'money' field
+		*_script.stackDataPtr = _keyCharsTable[keyChar].money;
+	} else {
+		assert(item < ARRAYSIZE(_keyCharsTable[keyChar].inventoryItems));
+		*_script.stackDataPtr = _keyCharsTable[keyChar].inventoryItems[item];
+	}
 }
 
 void ToucheEngine::op_setInventoryItem() {
@@ -625,8 +630,13 @@ void ToucheEngine::op_setInventoryItem() {
 		keyChar = _currentKeyCharNum;
 	}
 	assert(keyChar >= 0 && keyChar < NUM_KEYCHARS);
-	assert(item < sizeof(_keyCharsTable[keyChar].inventoryItems));
-	_keyCharsTable[keyChar].inventoryItems[item] = *_script.stackDataPtr;
+	if (item == 4) {
+		// item 4 is the 'money' field
+		_keyCharsTable[keyChar].money = *_script.stackDataPtr;
+	} else {
+		assert(item < ARRAYSIZE(_keyCharsTable[keyChar].inventoryItems));
+		_keyCharsTable[keyChar].inventoryItems[item] = *_script.stackDataPtr;
+	}
 	if (item == 4 && !_hideInventoryTexts) {
 		drawAmountOfMoneyInInventory();
 	}