[Scummvm-git-logs] scummvm master -> f99c83c0a003834a8d3d9f2f608f447cb21df3f1
csnover
csnover at users.noreply.github.com
Sat Nov 11 23:19:47 CET 2017
This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .
Summary:
f99c83c0a0 DREAMWEB: Fix out-of-bounds read of frame animation data
Commit: f99c83c0a003834a8d3d9f2f608f447cb21df3f1
https://github.com/scummvm/scummvm/commit/f99c83c0a003834a8d3d9f2f608f447cb21df3f1
Author: Colin Snover (github.com at zetafleet.com)
Date: 2017-11-11T16:19:23-06:00
Commit Message:
DREAMWEB: Fix out-of-bounds read of frame animation data
The game reads until it sees 0xFF, which is not until frame 14 for
some animations in the first interactive room of the game. This
happened to work previously because the struct is packed so it
would read into the b31.. members, but this was still technically
an out-of-bounds read.
Changed paths:
engines/dreamweb/structs.h
diff --git a/engines/dreamweb/structs.h b/engines/dreamweb/structs.h
index cc300e8..58ce03d 100644
--- a/engines/dreamweb/structs.h
+++ b/engines/dreamweb/structs.h
@@ -77,35 +77,7 @@ struct SetObject {
uint8 objId[4];
uint8 b16;
uint8 index;
- uint8 frames[13]; // Table mapping animFrame to sprite frame number
- // NB: Don't know the size yet
- uint8 b31;
- uint8 b32;
- uint8 b33;
- uint8 b34;
- uint8 b35;
- uint8 b36;
- uint8 b37;
- uint8 b38;
- uint8 b39;
- uint8 b40;
- uint8 b41;
- uint8 b42;
- uint8 b43;
- uint8 b44;
- uint8 b45;
- uint8 b46;
- uint8 b47;
- uint8 b48;
- uint8 b49;
- uint8 b50;
- uint8 b51;
- uint8 b52;
- uint8 b53;
- uint8 b54;
- uint8 b55;
- uint8 b56;
- uint8 b57;
+ uint8 frames[40]; // Table mapping animFrame to sprite frame number
uint8 mapad[5];
uint8 b63;
} PACKED_STRUCT;
More information about the Scummvm-git-logs
mailing list