[Scummvm-git-logs] scummvm master -> 4f70962dbf3c10fd3c13f0d25633459efb17ca81

AndywinXp noreply at scummvm.org
Tue Dec 31 09:56:37 UTC 2024 

This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .

Summary:
4f70962dbf SCUMM: mixer_he: Add check that sample buffer has enough samples for fade in


Commit: 4f70962dbf3c10fd3c13f0d25633459efb17ca81
    https://github.com/scummvm/scummvm/commit/4f70962dbf3c10fd3c13f0d25633459efb17ca81
Author: Vlad Doc (totallynotafakesoap at gmail.com)
Date: 2024-12-31T10:56:33+01:00

Commit Message:
SCUMM: mixer_he: Add check that sample buffer has enough samples for fade in

Heap buffer overflow mitigation

Changed paths:
    engines/scumm/he/mixer_he.cpp


diff --git a/engines/scumm/he/mixer_he.cpp b/engines/scumm/he/mixer_he.cpp
index b6a3cb405e2..266ae7d2c52 100644
--- a/engines/scumm/he/mixer_he.cpp
+++ b/engines/scumm/he/mixer_he.cpp
@@ -587,12 +587,15 @@ bool HEMixer::mixerStartChannel(
 		// sounds might have early callbacks, so we still have to copy
 		// data over, instead of using the original buffer.
 		if (!(_mixerChannels[channel].flags & CHANNEL_LOOPING)) {
-			data = (byte *)malloc(_mixerChannels[channel].sampleLen);
+			const int rampUpSampleCount = !is3DOMusic ? 64 : 128;
+            int samplesSize = _mixerChannels[channel].sampleLen;
+
+			data = (byte *)malloc(samplesSize);
 
 			if (!data)
 				return false;
 
-			memcpy(data, ptr, _mixerChannels[channel].sampleLen);
+			memcpy(data, ptr, samplesSize);
 
 			// Residual early callback data
 			if (hasCallbackData) {
@@ -604,16 +607,15 @@ bool HEMixer::mixerStartChannel(
 
 			// Fade-in to avoid possible sound popping...
 			byte *dataTmp = data;
-			int rampUpSampleCount = 64;
-			if (!is3DOMusic) {
+            // Do fade-in only if there's enough samples to do so
+			if (!is3DOMusic && samplesSize >= rampUpSampleCount) {
 				for (int i = 0; i < rampUpSampleCount; i++) {
 					*dataTmp = 128 + (((*dataTmp - 128) * i) / rampUpSampleCount);
 					dataTmp++;
 				}
-			} else {
+			} else if(samplesSize >= rampUpSampleCount) {
 				// We can't just ramp volume as done above, we have to take
 				// into account the fact that 3DO music is 8-bit -> signed <-
-				rampUpSampleCount = 128;
 				for (int i = 0; i < rampUpSampleCount; i++) {
 					int8 signedSample = (int8)(*dataTmp);
 					signedSample = (signedSample * i) / rampUpSampleCount;

More information about the Scummvm-git-logs mailing list