[Scummvm-git-logs] scummvm master -> 24ea36d3e966fab4d81bf5eceb696b1934580ce9

bluegr bluegr at gmail.com
Sun Sep 5 18:26:51 UTC 2021 

This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .

Summary:
24ea36d3e9 COMMON: Don't decompress more bytes than the file specifies (bug 12900)


Commit: 24ea36d3e966fab4d81bf5eceb696b1934580ce9
    https://github.com/scummvm/scummvm/commit/24ea36d3e966fab4d81bf5eceb696b1934580ce9
Author: Torbjörn Andersson (eriktorbjorn at users.sourceforge.net)
Date: 2021-09-05T21:26:49+03:00

Commit Message:
COMMON: Don't decompress more bytes than the file specifies (bug 12900)

When running my CD version of Buried in Time, the loadFromCompresedEXE()
function would try to decompress beyond the allocated buffer, causing it
to crash. Up to that point, the decompressed data was identical to what
I would get if I let the original installer decompress the EXE and DLL
files.

So keep track of how many bytes have been decompressed, and terminate
when the upper limit is reached.

Changed paths:
    common/winexe.cpp


diff --git a/common/winexe.cpp b/common/winexe.cpp
index 31750c7f5c..191f8620f0 100644
--- a/common/winexe.cpp
+++ b/common/winexe.cpp
@@ -131,29 +131,39 @@ bool WinResources::loadFromCompressedEXE(const String &fileName) {
 	assert(unpackedData);
 	byte *dataPos = unpackedData;
 
+	uint32 remaining = unpackedLength;
+
 	// Apply simple LZSS decompression
 	for (;;) {
 		byte controlByte = file.readByte();
 
-		if (file.eos())
+		if (remaining == 0 || file.eos())
 			break;
 
 		for (byte i = 0; i < 8; i++) {
 			if (controlByte & (1 << i)) {
 				*dataPos++ = window[pos++] = file.readByte();
 				pos &= 0xFFF;
+				if (--remaining == 0)
+					break;
 			} else {
 				int matchPos = file.readByte();
 				int matchLen = file.readByte();
 				matchPos |= (matchLen & 0xF0) << 4;
 				matchLen = (matchLen & 0xF) + 3;
+				if ((uint32)matchLen > remaining)
+					matchLen = remaining;
+				remaining -= matchLen;
+
 				while (matchLen--) {
 					*dataPos++ = window[pos++] = window[matchPos++];
 					pos &= 0xFFF;
 					matchPos &= 0xFFF;
 				}
-			}
 
+				if (remaining == 0)
+					break;
+			}
 		}
 	}

More information about the Scummvm-git-logs mailing list