[Scummvm-cvs-logs] scummvm master -> 32f9b9243117a59b62e381655e7e253e6e6fad00

Strangerke Strangerke at scummvm.org
Wed Jun 8 07:55:05 CEST 2016


This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .

Summary:
32f9b92431 GNAP: Fix potential out of bound write


Commit: 32f9b9243117a59b62e381655e7e253e6e6fad00
    https://github.com/scummvm/scummvm/commit/32f9b9243117a59b62e381655e7e253e6e6fad00
Author: Strangerke (strangerke at scummvm.org)
Date: 2016-06-08T07:46:35+02:00

Commit Message:
GNAP: Fix potential out of bound write

Changed paths:
    engines/gnap/gamesys.cpp



diff --git a/engines/gnap/gamesys.cpp b/engines/gnap/gamesys.cpp
index d31854d..11ef6fd 100644
--- a/engines/gnap/gamesys.cpp
+++ b/engines/gnap/gamesys.cpp
@@ -1116,7 +1116,10 @@ void GameSys::fatUpdateFrame() {
 	if (_newSpriteDrawItemsCount > 0) {
 		debugC(kDebugBasic, "_newSpriteDrawItemsCount: %d", _newSpriteDrawItemsCount);
 		for (int k = 0; k < _newSpriteDrawItemsCount; ++k) {
-			if (_gfxItemsCount < 50) {
+			// The original was allowing a buffer overflow.
+			// In order to fit in memory, insertIndex + 1 + (_gfxItemsCount - InsertIndex) must be
+			// smaller than the size _gfxItems array (50).
+			if (_gfxItemsCount + 1 < 50) {
 				int insertIndex;
 				seqLocateGfx(-1, _newSpriteDrawItems[k]._id, &insertIndex);
 				if (_gfxItemsCount != insertIndex)






More information about the Scummvm-git-logs mailing list