[Scummvm-git-logs] scummvm branch-1-9 -> 491a664180ce12dffce5eb21d5e7e9c3df4e6066
wjp
wjp at usecode.org
Wed Oct 26 22:57:34 CEST 2016
This automated email contains information about 2 new commits which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .
Summary:
e5a852f966 KYRA: (LOL) Fix buffer overflow in _lastOverridePalFile
491a664180 MADS: Fix two off-by-ones in Fader::insertionSort
Commit: e5a852f966420d678d6285bd3038151f1f61f2fa
https://github.com/scummvm/scummvm/commit/e5a852f966420d678d6285bd3038151f1f61f2fa
Author: Willem Jan Palenstijn (wjp at usecode.org)
Date: 2016-10-26T22:54:14+02:00
Commit Message:
KYRA: (LOL) Fix buffer overflow in _lastOverridePalFile
It was storing filenames of length 12 in a char[12] buffer.
Fixes bug #9627.
Changed paths:
engines/kyra/lol.h
engines/kyra/scene_lol.cpp
diff --git a/engines/kyra/lol.h b/engines/kyra/lol.h
index af58397..9f952e5 100644
--- a/engines/kyra/lol.h
+++ b/engines/kyra/lol.h
@@ -987,8 +987,7 @@ private:
uint16 _specialGuiShapeY;
uint16 _specialGuiShapeMirrorFlag;
- char _lastOverridePalFile[12];
- char *_lastOverridePalFilePtr;
+ Common::String _lastOverridePalFile;
int _lastSpecialColor;
int _lastSpecialColorWeight;
diff --git a/engines/kyra/scene_lol.cpp b/engines/kyra/scene_lol.cpp
index 391de5e..a746080 100644
--- a/engines/kyra/scene_lol.cpp
+++ b/engines/kyra/scene_lol.cpp
@@ -303,12 +303,10 @@ void LoLEngine::loadLevelGraphics(const char *file, int specialColor, int weight
_lastSpecialColor = specialColor;
_lastSpecialColorWeight = weight;
strcpy(_lastBlockDataFile, file);
- if (palFile) {
- strcpy(_lastOverridePalFile, palFile);
- _lastOverridePalFilePtr = _lastOverridePalFile;
- } else {
- _lastOverridePalFilePtr = 0;
- }
+ if (palFile)
+ _lastOverridePalFile = palFile;
+ else
+ _lastOverridePalFile.clear();
}
if (_flags.use16ColorMode) {
@@ -361,8 +359,8 @@ void LoLEngine::loadLevelGraphics(const char *file, int specialColor, int weight
memcpy(_vcnColTable, v, 128);
v += 128;
- if (_lastOverridePalFilePtr) {
- _res->loadFileToBuf(_lastOverridePalFilePtr, _screen->getPalette(0).getData(), 384);
+ if (!_lastOverridePalFile.empty()) {
+ _res->loadFileToBuf(_lastOverridePalFile.c_str(), _screen->getPalette(0).getData(), 384);
} else {
_screen->getPalette(0).copy(v, 0, 128);
}
Commit: 491a664180ce12dffce5eb21d5e7e9c3df4e6066
https://github.com/scummvm/scummvm/commit/491a664180ce12dffce5eb21d5e7e9c3df4e6066
Author: Willem Jan Palenstijn (wjp at usecode.org)
Date: 2016-10-26T22:54:17+02:00
Commit Message:
MADS: Fix two off-by-ones in Fader::insertionSort
Fixes bug #9631.
Changed paths:
engines/mads/palette.cpp
diff --git a/engines/mads/palette.cpp b/engines/mads/palette.cpp
index 7651fe8..de87029 100644
--- a/engines/mads/palette.cpp
+++ b/engines/mads/palette.cpp
@@ -665,15 +665,15 @@ void Fader::insertionSort(int size, byte *id, byte *value) {
int moveCount = size - arrIndex - 1;
if (moveCount > 0) {
- Common::copy(idP + 1, idP + moveCount + 2, idP);
- Common::copy(valueP + 1, valueP + moveCount + 2, valueP);
+ Common::copy(idP + 1, idP + moveCount + 1, idP);
+ Common::copy(valueP + 1, valueP + moveCount + 1, valueP);
}
// Scan for insert spot
int idx = 0;
if (endIndex > 0) {
bool breakFlag = false;
- for (; idx <= endIndex && !breakFlag; ++idx) {
+ for (; idx <= endIndex - 1 && !breakFlag; ++idx) {
breakFlag = savedId < id[idx];
}
}
More information about the Scummvm-git-logs
mailing list