[Scummvm-git-logs] scummvm master -> 3a933138ce9273724726efc0df051b8dcf92b7d8

wjp wjp at usecode.org
Sun Dec 3 12:54:01 CET 2017 

This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .

Summary:
3a933138ce SCI: Avoid buffer overflow in amigamac sound driver


Commit: 3a933138ce9273724726efc0df051b8dcf92b7d8
    https://github.com/scummvm/scummvm/commit/3a933138ce9273724726efc0df051b8dcf92b7d8
Author: Willem Jan Palenstijn (wjp at usecode.org)
Date: 2017-12-03T12:49:11+01:00

Commit Message:
SCI: Avoid buffer overflow in amigamac sound driver

By default, frac_t is interpreted as signed. The resulting range isn't
large enough to store offsets, so we interpret it as unsigned here
instead. Fixes a crash in QfG1/Mac where instrument->loop_size is 49457.

Changed paths:
    engines/sci/sound/drivers/amigamac.cpp


diff --git a/engines/sci/sound/drivers/amigamac.cpp b/engines/sci/sound/drivers/amigamac.cpp
index b8b6a32..22950cb 100644
--- a/engines/sci/sound/drivers/amigamac.cpp
+++ b/engines/sci/sound/drivers/amigamac.cpp
@@ -34,6 +34,11 @@
 
 namespace Sci {
 
+// We use frac_t to store non-negative offsets that can be larger than 32767
+static uint fracToUInt(frac_t value) {
+	return ((uint32)value) / (1 << FRAC_BITS);
+}
+
 class MidiDriver_AmigaMac : public MidiDriver_Emulated {
 public:
 	enum {
@@ -170,7 +175,7 @@ void MidiDriver_AmigaMac::setEnvelope(Voice *channel, Envelope *envelope, int ph
 }
 
 int MidiDriver_AmigaMac::interpolate(int8 *samples, frac_t offset, uint32 maxOffset, bool isUnsigned) {
-	uint x = fracToInt(offset);
+	uint x = fracToUInt(offset);
 	uint x2 = x == maxOffset ? 0 : x + 1;
 
 	if (isUnsigned) {
@@ -272,7 +277,7 @@ void MidiDriver_AmigaMac::playInstrument(int16 *dest, Voice *channel, int count)
 		if (index == count)
 			break;
 
-		if ((uint32)fracToInt(channel->offset) >= seg_end) {
+		if (fracToUInt(channel->offset) >= seg_end) {
 			if (instrument->mode & kModeLoop) {
 				/* Loop the samples */
 				channel->offset -= intToFrac(seg_end);

More information about the Scummvm-git-logs mailing list