[Scummvm-cvs-logs] scummvm master -> 86b3a075d48eed0e71f0237107449ea6dd64673f

digitall dgturner at iee.org
Mon Jun 2 23:08:59 CEST 2014


This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .

Summary:
86b3a075d4 GROOVIE: Add sanity checks and range limits to copyRect opcode param.


Commit: 86b3a075d48eed0e71f0237107449ea6dd64673f
    https://github.com/scummvm/scummvm/commit/86b3a075d48eed0e71f0237107449ea6dd64673f
Author: D G Turner (digitall at scummvm.org)
Date: 2014-06-02T22:09:53+01:00

Commit Message:
GROOVIE: Add sanity checks and range limits to copyRect opcode param.

This prevents segfault crashes in "The 11th Hour" when you open the
Gamebook palmtop from the top of the screen. The opcode needs some
work on the changes from 7th Guest, but this will prevent crashes
while this is being worked on.

Changed paths:
    engines/groovie/script.cpp



diff --git a/engines/groovie/script.cpp b/engines/groovie/script.cpp
index 25c421f..3088116 100644
--- a/engines/groovie/script.cpp
+++ b/engines/groovie/script.cpp
@@ -1219,6 +1219,45 @@ void Script::o_copyrecttobg() {	// 0x37
 	uint16 top = readScript16bits();
 	uint16 right = readScript16bits();
 	uint16 bottom = readScript16bits();
+
+	// Sanity checks to prevent bad pointer access crashes
+	if (left > right) {
+		warning("COPYRECT left:%d > right:%d", left, right);
+		// swap over left and right parameters
+		uint16 j;
+		j = right;
+		right = left;
+		left = j;
+	}
+	if (top > bottom) {
+		warning("COPYRECT top:%d > bottom:%d", top, bottom);
+		// swap over top and bottom parameters
+		uint16 j;
+		j = bottom;
+		bottom = top;
+		top = j;
+	}
+	if (top < 80) {
+		warning("COPYRECT top < 80... clamping");
+		top = 80;
+	}
+	if (top >= 480) {
+		warning("COPYRECT top >= 480... clamping");
+		top = 480 - 1;
+	}
+	if (bottom >= 480) {
+		warning("COPYRECT bottom >= 480... clamping");
+		bottom = 480 - 1;
+	}
+	if (left >= 640) {
+		warning("COPYRECT left >= 640... clamping");
+		left = 640 - 1;
+	}
+	if (right >= 640) {
+		warning("COPYRECT right >= 640... clamping");
+		right = 640 - 1;
+	}
+
 	uint16 i, width = right - left, height = bottom - top;
 	uint32 offset = 0;
 	byte *fg, *bg;






More information about the Scummvm-git-logs mailing list