[Scummvm-cvs-logs] CVS: scummvm/scumm bundle.cpp,1.20,1.21
Max Horn
fingolfin at users.sourceforge.net
Fri Jan 17 08:50:05 CET 2003
Update of /cvsroot/scummvm/scummvm/scumm
In directory sc8-pr-cvs1:/tmp/cvs-serv26116/scumm
Modified Files:
bundle.cpp
Log Message:
fixed OOB access introduced in my last commit; leaving in my debug asserts this time, in case there are more
Index: bundle.cpp
===================================================================
RCS file: /cvsroot/scummvm/scummvm/scumm/bundle.cpp,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -d -r1.20 -r1.21
--- bundle.cpp 17 Jan 2003 16:12:26 -0000 1.20
+++ bundle.cpp 17 Jan 2003 16:49:41 -0000 1.21
@@ -798,10 +798,14 @@
byte var3b;
int32 adder;
+ byte *endPos = comp_input + input_size;
+
src = comp_input;
memset (comp_output, 0, 0x2000);
firstWord = READ_BE_UINT16(src);
src += 2;
+ assert(src < endPos);
+
if (firstWord != 0) {
if (index != 0) {
@@ -835,6 +839,7 @@
startPos = 0;
origLeft = 0x2000;
}
+ assert(src < endPos);
tableEntrySum = 0;
for (channel = 0; channel < channels; channel++) {
@@ -847,13 +852,17 @@
outputWord = 0;
imcTableEntry = 7;
}
- left = origLeft / (2 * channels);
+ left = (origLeft - 1) / (2 * channels) + 1;
destPos = startPos + 2 * channel;
while (left--) {
curTableEntry = _destImcTable[curTablePos];
decompTable = curTableEntry - 2;
var3b = (1 << decompTable) << 1;
readPos = src + (tableEntrySum >> 3);
+ if (readPos >= endPos) {
+ error("readPos exceeds endPos: %d >= %d (%d, %d)!" , readPos, endPos, left, origLeft);
+ }
+ assert(readPos < endPos);
readWord = (uint16)(READ_BE_UINT16(readPos) << (tableEntrySum & 7));
otherTablePos = (byte)(readWord >> (16 - curTableEntry));
tableEntrySum += curTableEntry;
@@ -894,13 +903,11 @@
imcTableEntry = imcTable1[curTablePos];
}
}
-
if (index == 0) {
output_size = 0x2000 - firstWord;
} else {
output_size = 0x2000;
}
-
}
break;
default:
More information about the Scummvm-git-logs
mailing list