[Scummvm-git-logs] scummvm master -> daca89fcc7696dc93f26227f5f1badbccae957b1
sev-
noreply at scummvm.org
Thu Sep 14 07:12:58 UTC 2023
This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .
Summary:
daca89fcc7 TINSEL: Fix out-of-bounds memory corruption
Commit: daca89fcc7696dc93f26227f5f1badbccae957b1
https://github.com/scummvm/scummvm/commit/daca89fcc7696dc93f26227f5f1badbccae957b1
Author: Miro Kropacek (miro.kropacek at gmail.com)
Date: 2023-09-14T09:12:54+02:00
Commit Message:
TINSEL: Fix out-of-bounds memory corruption
for's condition is evaluated after the expression(s) so we ended up
reading invalid memory in ptp.
Changed paths:
engines/tinsel/polygons.cpp
diff --git a/engines/tinsel/polygons.cpp b/engines/tinsel/polygons.cpp
index 1ec55014426..9d2a361e97e 100644
--- a/engines/tinsel/polygons.cpp
+++ b/engines/tinsel/polygons.cpp
@@ -321,9 +321,10 @@ void Poly::nextPoly() {
nlistx = (const int32 *)(_pStart + (int)FROM_32(pnodelistx));
nlisty = (const int32 *)(_pStart + (int)FROM_32(pnodelisty));
- if (TinselVersion == 0)
+ if (TinselVersion == 0) {
// Skip to the last 4 bytes of the record for the hScript value
_pData = pRecord + 0x62C;
+ }
hScript = nextLong(_pData);
}
@@ -1886,7 +1887,11 @@ void InitPolygons(SCNHANDLE ph, int numPoly, bool bRestart) {
if (numPoly > 0) {
Poly ptp(_vm->_handle->LockMem(ph));
- for (int i = 0; i < numPoly; ++i, ++ptp) {
+ for (int i = 0; i < numPoly; ++i) {
+ // 'ptp' has already been initialized in its c-tor
+ if (i > 0)
+ ++ptp;
+
switch (ptp.getType()) {
case POLY_PATH:
InitPath(ptp, false, i, bRestart);
More information about the Scummvm-git-logs
mailing list