[Scummvm-git-logs] scummvm branch-2-3 -> 4cb52e7ff30f6410d01a99b6dc7520b21d8da7de

sev- sev at scummvm.org
Sun Sep 5 19:22:21 UTC 2021 

This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .

Summary:
4cb52e7ff3 COMMON: Don't decompress more bytes than the file specifies (bug 12900)


Commit: 4cb52e7ff30f6410d01a99b6dc7520b21d8da7de
    https://github.com/scummvm/scummvm/commit/4cb52e7ff30f6410d01a99b6dc7520b21d8da7de
Author: Torbjörn Andersson (eriktorbjorn at users.sourceforge.net)
Date: 2021-09-05T21:22:06+02:00

Commit Message:
COMMON: Don't decompress more bytes than the file specifies (bug 12900)

When running my CD version of Buried in Time, the loadFromCompresedEXE()
function would try to decompress beyond the allocated buffer, causing it
to crash. Up to that point, the decompressed data was identical to what
I would get if I let the original installer decompress the EXE and DLL
files.

So keep track of how many bytes have been decompressed, and terminate
when the upper limit is reached.

Changed paths:
    common/winexe.cpp


diff --git a/common/winexe.cpp b/common/winexe.cpp
index 31750c7f5c..191f8620f0 100644
--- a/common/winexe.cpp
+++ b/common/winexe.cpp
@@ -131,29 +131,39 @@ bool WinResources::loadFromCompressedEXE(const String &fileName) {
 	assert(unpackedData);
 	byte *dataPos = unpackedData;
 
+	uint32 remaining = unpackedLength;
+
 	// Apply simple LZSS decompression
 	for (;;) {
 		byte controlByte = file.readByte();
 
-		if (file.eos())
+		if (remaining == 0 || file.eos())
 			break;
 
 		for (byte i = 0; i < 8; i++) {
 			if (controlByte & (1 << i)) {
 				*dataPos++ = window[pos++] = file.readByte();
 				pos &= 0xFFF;
+				if (--remaining == 0)
+					break;
 			} else {
 				int matchPos = file.readByte();
 				int matchLen = file.readByte();
 				matchPos |= (matchLen & 0xF0) << 4;
 				matchLen = (matchLen & 0xF) + 3;
+				if ((uint32)matchLen > remaining)
+					matchLen = remaining;
+				remaining -= matchLen;
+
 				while (matchLen--) {
 					*dataPos++ = window[pos++] = window[matchPos++];
 					pos &= 0xFFF;
 					matchPos &= 0xFFF;
 				}
-			}
 
+				if (remaining == 0)
+					break;
+			}
 		}
 	}

More information about the Scummvm-git-logs mailing list