[Scummvm-cvs-logs] scummvm master -> b7d5dd9187d472df73075c2bb92d0a4f71726df7
csnover
csnover at users.noreply.github.com
Fri Mar 18 16:29:06 CET 2016
This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .
Summary:
b7d5dd9187 SCI32: Fix heap overflow (read) in kStringCopy
Commit: b7d5dd9187d472df73075c2bb92d0a4f71726df7
https://github.com/scummvm/scummvm/commit/b7d5dd9187d472df73075c2bb92d0a4f71726df7
Author: Colin Snover (github.com at zetafleet.com)
Date: 2016-03-18T10:28:51-05:00
Commit Message:
SCI32: Fix heap overflow (read) in kStringCopy
Changed paths:
engines/sci/engine/kstring.cpp
diff --git a/engines/sci/engine/kstring.cpp b/engines/sci/engine/kstring.cpp
index f598cf7..6d61ad5 100644
--- a/engines/sci/engine/kstring.cpp
+++ b/engines/sci/engine/kstring.cpp
@@ -781,7 +781,8 @@ reg_t kStringCopy(EngineState *s, int argc, reg_t *argv) {
// Note: We're accessing from c_str() here because the
// string's size ignores the trailing 0 and therefore
// triggers an assert when doing string2[i + index2].
- for (uint16 i = 0; i < count; i++)
+ uint16 size = MIN(string2Size, count);
+ for (uint16 i = 0; i < size; i++)
string1->setValue(i + index1, string2[i + index2]);
return argv[0];
More information about the Scummvm-git-logs
mailing list