[Scummvm-cvs-logs] scummvm master -> f25e889c13238671c8ce33a95bcf59f82e70c5c3

Sat Oct 25 21:05:00 CEST 2014

This automated email contains information about 3 new commits which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .

Summary:
b6302c6e51 PRINCE: Fix potential out-of-bounds write (CID 1248504)
0579bf6f18 PRINCE: Fix potential out-of-bounds reads (CID 1248500, 1248503)
f25e889c13 PRINCE: Fix potential out-of-bounds read (CID 1248502)


Commit: b6302c6e5155af097940c0043e1b7941c2c1fefe
    https://github.com/scummvm/scummvm/commit/b6302c6e5155af097940c0043e1b7941c2c1fefe
Author: Torbjörn Andersson (eriktorbjorn at users.sourceforge.net)
Date: 2014-10-25T20:52:14+02:00

Commit Message:
PRINCE: Fix potential out-of-bounds write (CID 1248504)

There are kMaxTexts text slots, so kMaxTexts itself is not valid.

Changed paths:
    engines/prince/prince.cpp

diff --git a/engines/prince/prince.cpp b/engines/prince/prince.cpp
index 29c434e..17cef63 100644
--- a/engines/prince/prince.cpp
+++ b/engines/prince/prince.cpp
@@ -730,8 +730,8 @@ bool PrinceEngine::loadSample(uint32 sampleSlot, const Common::String &streamNam
 bool PrinceEngine::loadVoice(uint32 slot, uint32 sampleSlot, const Common::String &streamName) {
 	debugEngine("Loading wav %s slot %d", streamName.c_str(), slot);
 
-	if (slot > kMaxTexts) {
-		error("Text slot bigger than MAXTEXTS %d", kMaxTexts);
+	if (slot >= kMaxTexts) {
+		error("Text slot bigger than MAXTEXTS %d", kMaxTexts - 1);
 		return false;
 	}
 


Commit: 0579bf6f18e56410e1b94e97034c8db774e73b06
    https://github.com/scummvm/scummvm/commit/0579bf6f18e56410e1b94e97034c8db774e73b06
Author: Torbjörn Andersson (eriktorbjorn at users.sourceforge.net)
Date: 2014-10-25T20:57:52+02:00

Commit Message:
PRINCE: Fix potential out-of-bounds reads (CID 1248500, 1248503)

Since heroSetTable[] is an array of int, use >= ARRAYSIZE() instead
of > sizeof().

Changed paths:
    engines/prince/hero.cpp



diff --git a/engines/prince/hero.cpp b/engines/prince/hero.cpp
index 06fba25..146470f 100644
--- a/engines/prince/hero.cpp
+++ b/engines/prince/hero.cpp
@@ -54,7 +54,7 @@ Hero::~Hero() {
 bool Hero::loadAnimSet(uint32 animSetNr) {
 	_animSetNr = animSetNr;
 
-	if (animSetNr > sizeof(heroSetTable)) {
+	if (animSetNr >= ARRAYSIZE(heroSetTable)) {
 		return false;
 	}
 


Commit: f25e889c13238671c8ce33a95bcf59f82e70c5c3
    https://github.com/scummvm/scummvm/commit/f25e889c13238671c8ce33a95bcf59f82e70c5c3
Author: Torbjörn Andersson (eriktorbjorn at users.sourceforge.net)
Date: 2014-10-25T21:02:03+02:00

Commit Message:
PRINCE: Fix potential out-of-bounds read (CID 1248502)

Since _opcodes[] has kNumOpcodes elements, kNumOpcodes itself is
not a valid index.

Changed paths:
    engines/prince/script.cpp



diff --git a/engines/prince/script.cpp b/engines/prince/script.cpp
index 0e9dd27..25249d3 100644
--- a/engines/prince/script.cpp
+++ b/engines/prince/script.cpp
@@ -477,7 +477,7 @@ uint32 Interpreter::step(uint32 opcodePC) {
 		// Get the current opcode
 		_lastOpcode = readScript16();
 
-		if (_lastOpcode > kNumOpcodes)
+		if (_lastOpcode >= kNumOpcodes)
 			error(
 				"Trying to execute unknown opcode @0x%04X: %02d", 
 				_currentInstruction, 




