[Scummvm-git-logs] scummvm master -> 7cda72a79c14d50d46954abecb4fa08fe68adf6d

athrxx athrxx at scummvm.org
Fri Nov 6 16:00:34 UTC 2020 

This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .

Summary:
7cda72a79c KYRA: Fix crash in Siberian Goblin translation of HoF (#2609)


Commit: 7cda72a79c14d50d46954abecb4fa08fe68adf6d
    https://github.com/scummvm/scummvm/commit/7cda72a79c14d50d46954abecb4fa08fe68adf6d
Author: Vladimir Serbinenko (phcoder at google.com)
Date: 2020-11-06T17:00:30+01:00

Commit Message:
KYRA: Fix crash in Siberian Goblin translation of HoF (#2609)

* KYRA: don't attempt to execute functions out of bounds

This fixes crash in Siberian Goblin translation of HoF on scarecrow scene

* KYRA: Add sanity check not to execut out of bounds

Changed paths:
    engines/kyra/script/script.cpp
    engines/kyra/script/script.h


diff --git a/engines/kyra/script/script.cpp b/engines/kyra/script/script.cpp
index 27c9643034..b53de0475a 100644
--- a/engines/kyra/script/script.cpp
+++ b/engines/kyra/script/script.cpp
@@ -70,6 +70,7 @@ bool EMCInterpreter::callback(Common::IFFChunk &chunk) {
 
 	case MKTAG('O','R','D','R'):
 		_scriptData->ordr = new uint16[chunk._size >> 1];
+		_scriptData->ordrSize = chunk._size;
 		assert(_scriptData->ordr);
 		if (chunk._stream->read(_scriptData->ordr, chunk._size) != chunk._size)
 			error("Couldn't read ORDR chunk from file '%s'", _filename);
@@ -80,6 +81,7 @@ bool EMCInterpreter::callback(Common::IFFChunk &chunk) {
 
 	case MKTAG('D','A','T','A'):
 		_scriptData->data = new uint16[chunk._size >> 1];
+		_scriptData->dataSize = chunk._size;
 		assert(_scriptData->data);
 		if (chunk._stream->read(_scriptData->data, chunk._size) != chunk._size)
 			error("Couldn't read DATA chunk from file '%s'", _filename);
@@ -156,6 +158,9 @@ bool EMCInterpreter::start(EMCState *script, int function) {
 	if (!script->dataPtr)
 		return false;
 
+	if (function >= (int) script->dataPtr->ordrSize / 2 || function < 0)
+		return false;
+
 	uint16 functionOffset = script->dataPtr->ordr[function];
 	if (functionOffset == 0xFFFF)
 		return false;
@@ -166,6 +171,8 @@ bool EMCInterpreter::start(EMCState *script, int function) {
 		else
 			script->ip = &script->dataPtr->data[functionOffset];
 	} else {
+		if (functionOffset+1 >= (int) script->dataPtr->dataSize / 2)
+			return false;
 		script->ip = &script->dataPtr->data[functionOffset+1];
 	}
 
@@ -187,6 +194,10 @@ bool EMCInterpreter::run(EMCState *script) {
 	// Should be no Problem at all to cast to uint32 here, since that's the biggest ptrdiff the original
 	// would allow, of course that's not realistic to happen to be somewhere near the limit of uint32 anyway.
 	const uint32 instOffset = (uint32)((const byte *)script->ip - (const byte *)script->dataPtr->data);
+	if ((int32)instOffset < 0 || instOffset >= script->dataPtr->dataSize) {
+		error("Attempt to execute out of bounds: 0x%.08X out of 0x%.08X",
+		      instOffset, script->dataPtr->dataSize);
+	}
 	int16 code = *script->ip++;
 	int16 opcode = (code >> 8) & 0x1F;
 
diff --git a/engines/kyra/script/script.h b/engines/kyra/script/script.h
index 12a44b0a03..73f14b3f5c 100644
--- a/engines/kyra/script/script.h
+++ b/engines/kyra/script/script.h
@@ -38,8 +38,9 @@ struct EMCData {
 
 	byte *text;
 	uint16 *data;
+	uint32 ordrSize;
 	uint16 *ordr;
-	uint16 dataSize;
+	uint32 dataSize;
 
 	const Common::Array<const Opcode *> *sysFuncs;
 };

More information about the Scummvm-git-logs mailing list