[Scummvm-git-logs] scummvm master -> a62f8faf93539b8d55dcb54b1f63f4389828e163

mduggan mgithub at guarana.org
Sun May 3 08:25:41 UTC 2020 

This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .

Summary:
a62f8faf93 ULTIMA8: Sanity check shape data on load


Commit: a62f8faf93539b8d55dcb54b1f63f4389828e163
    https://github.com/scummvm/scummvm/commit/a62f8faf93539b8d55dcb54b1f63f4389828e163
Author: Matthew Duggan (mgithub at guarana.org)
Date: 2020-05-03T17:25:31+09:00

Commit Message:
ULTIMA8: Sanity check shape data on load

This avoids crashes loading Crusader: No Remorse font #2.

Changed paths:
    engines/ultima/ultima8/graphics/raw_shape_frame.cpp
    engines/ultima/ultima8/graphics/shape.cpp


diff --git a/engines/ultima/ultima8/graphics/raw_shape_frame.cpp b/engines/ultima/ultima8/graphics/raw_shape_frame.cpp
index dea5b53725..fdf2e85f79 100644
--- a/engines/ultima/ultima8/graphics/raw_shape_frame.cpp
+++ b/engines/ultima/ultima8/graphics/raw_shape_frame.cpp
@@ -113,12 +113,23 @@ void RawShapeFrame::loadGenericFormat(const uint8 *data, uint32 size, const Conv
 	if (_height == 0)
 		return;
 
+	// Fairly arbitrary sanity check
+	if (_height > 4096 || _width > 4096 || _xoff > 4096 || _yoff > 4096) {
+		warning("got some invalid data loading shape");
+		_width = _height = _xoff = _yoff = 0;
+		return;
+	}
+
 	_line_offsets = new uint32[_height];
 
 	for (int32 i = 0; i < _height; i++) {
 		if (format->_line_offset_absolute) {
 			_line_offsets[i] = ds.readX(format->_bytes_line_offset);
 		} else {
+			if (ds.size() - ds.pos() < (int32)format->_bytes_line_offset) {
+				warning("going off end of %d buffer at %d reading %d",
+						ds.size(), ds.pos(), format->_bytes_line_offset);
+			}
 			_line_offsets[i] = ds.readX(format->_bytes_line_offset) - ((_height - i) * format->_bytes_line_offset);
 		}
 	}
diff --git a/engines/ultima/ultima8/graphics/shape.cpp b/engines/ultima/ultima8/graphics/shape.cpp
index 3afe16eb90..b3bc6cfda5 100644
--- a/engines/ultima/ultima8/graphics/shape.cpp
+++ b/engines/ultima/ultima8/graphics/shape.cpp
@@ -195,6 +195,11 @@ Common::Array<RawShapeFrame *> Shape::loadGenericFormat(const uint8 *data, uint3
 		if (format->_bytes_frame_length) framesize = ds.readX(format->_bytes_frame_length) + format->_bytes_frame_length_kludge;
 		else framesize = size - frameoffset;
 
+		if (framesize > size) {
+			warning("shape frame %d goes off the end of the buffer, stopping early", i);
+			break;
+		}
+
 		ConvertShapeFrame *prev = nullptr, p;
 
 		if (format->_bytes_special && i > 0) {

More information about the Scummvm-git-logs mailing list