[Scummvm-git-logs] scummvm master -> b4515d087257e1ab27712dc1bffece3f1cd39391

wjp wjp at usecode.org
Tue Oct 25 23:16:49 CEST 2016 

This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .

Summary:
b4515d0872 KYRA: (LOL) Fix buffer overflow in _lastOverridePalFile


Commit: b4515d087257e1ab27712dc1bffece3f1cd39391
    https://github.com/scummvm/scummvm/commit/b4515d087257e1ab27712dc1bffece3f1cd39391
Author: Willem Jan Palenstijn (wjp at usecode.org)
Date: 2016-10-25T23:13:22+02:00

Commit Message:
KYRA: (LOL) Fix buffer overflow in _lastOverridePalFile

It was storing filenames of length 12 in a char[12] buffer.
Fixes bug #9627.

Changed paths:
    engines/kyra/lol.h
    engines/kyra/scene_lol.cpp



diff --git a/engines/kyra/lol.h b/engines/kyra/lol.h
index af58397..9f952e5 100644
--- a/engines/kyra/lol.h
+++ b/engines/kyra/lol.h
@@ -987,8 +987,7 @@ private:
 	uint16 _specialGuiShapeY;
 	uint16 _specialGuiShapeMirrorFlag;
 
-	char _lastOverridePalFile[12];
-	char *_lastOverridePalFilePtr;
+	Common::String _lastOverridePalFile;
 	int _lastSpecialColor;
 	int _lastSpecialColorWeight;
 
diff --git a/engines/kyra/scene_lol.cpp b/engines/kyra/scene_lol.cpp
index 391de5e..a746080 100644
--- a/engines/kyra/scene_lol.cpp
+++ b/engines/kyra/scene_lol.cpp
@@ -303,12 +303,10 @@ void LoLEngine::loadLevelGraphics(const char *file, int specialColor, int weight
 		_lastSpecialColor = specialColor;
 		_lastSpecialColorWeight = weight;
 		strcpy(_lastBlockDataFile, file);
-		if (palFile) {
-			strcpy(_lastOverridePalFile, palFile);
-			_lastOverridePalFilePtr = _lastOverridePalFile;
-		} else {
-			_lastOverridePalFilePtr = 0;
-		}
+		if (palFile)
+			_lastOverridePalFile = palFile;
+		else
+			_lastOverridePalFile.clear();
 	}
 
 	if (_flags.use16ColorMode) {
@@ -361,8 +359,8 @@ void LoLEngine::loadLevelGraphics(const char *file, int specialColor, int weight
 		memcpy(_vcnColTable, v, 128);
 		v += 128;
 
-		if (_lastOverridePalFilePtr) {
-			_res->loadFileToBuf(_lastOverridePalFilePtr, _screen->getPalette(0).getData(), 384);
+		if (!_lastOverridePalFile.empty()) {
+			_res->loadFileToBuf(_lastOverridePalFile.c_str(), _screen->getPalette(0).getData(), 384);
 		} else {
 			_screen->getPalette(0).copy(v, 0, 128);
 		}

More information about the Scummvm-git-logs mailing list