[Scummvm-cvs-logs] scummvm branch-1-8 -> 17377c1bf922b7e9dcdf3e7b1f2cf6d10e10f140
m-kiewitz
m_kiewitz at users.sourceforge.net
Tue Mar 15 12:31:57 CET 2016
This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .
Summary:
17377c1bf9 SCI: Truncate channel data in case it goes beyond resource size
Commit: 17377c1bf922b7e9dcdf3e7b1f2cf6d10e10f140
https://github.com/scummvm/scummvm/commit/17377c1bf922b7e9dcdf3e7b1f2cf6d10e10f140
Author: Martin Kiewitz (m_kiewitz at users.sourceforge.net)
Date: 2016-03-15T12:31:47+01:00
Commit Message:
SCI: Truncate channel data in case it goes beyond resource size
Fixes invalid memory access during kq5 floppy ending
Changed paths:
engines/sci/resource_audio.cpp
diff --git a/engines/sci/resource_audio.cpp b/engines/sci/resource_audio.cpp
index 6869e63..bc16b12 100644
--- a/engines/sci/resource_audio.cpp
+++ b/engines/sci/resource_audio.cpp
@@ -688,6 +688,12 @@ SoundResource::SoundResource(uint32 resourceNr, ResourceManager *resMan, SciVers
channel->data = resource->data + dataOffset;
channel->size = READ_LE_UINT16(data + 4);
+
+ if (dataOffset + channel->size > resource->size) {
+ warning("Invalid size inside sound resource %d: track %d, channel %d", resourceNr, trackNr, channelNr);
+ channel->size = resource->size - dataOffset;
+ }
+
channel->curPos = 0;
channel->number = *channel->data;
More information about the Scummvm-git-logs
mailing list