[Scummvm-git-logs] scummvm master -> 66ef65a81ee14ade7f3b10518b4e54e17a60241b

sev- noreply at scummvm.org
Fri Jan 24 22:37:08 UTC 2025 

This automated email contains information about 2 new commits which have been
pushed to the 'scummvm' repo located at https://github.com/scummvm/scummvm .

Summary:
d297c94982 DIRECTOR: Fix UB when calculating checksum
66ef65a81e DIRECTOR: Fix out of bound access while calling transformColor


Commit: d297c94982a866bf744678391fae0214a148f174
    https://github.com/scummvm/scummvm/commit/d297c94982a866bf744678391fae0214a148f174
Author: Le Philousophe (lephilousophe at users.noreply.github.com)
Date: 2025-01-24T23:37:04+01:00

Commit Message:
DIRECTOR: Fix UB when calculating checksum

The constant contained an extraneous F which is removed.
In addition, mark it as unsigned to avoid undefined behaviours while
manipulating too large constants.

Changed paths:
    engines/director/cast.cpp


diff --git a/engines/director/cast.cpp b/engines/director/cast.cpp
index 9434cebf8b3..7727fdad077 100644
--- a/engines/director/cast.cpp
+++ b/engines/director/cast.cpp
@@ -512,7 +512,7 @@ bool Cast::loadConfig() {
 		check *= field25 + 25;
 		check += _frameRate + 26;
 		check *= platform + 27;
-		check *= (protection * 0xE06) + 0xFFF450000;
+		check *= (protection * 0xE06) + 0xFF450000u;
 		check ^= MKTAG('r', 'a', 'l', 'f');
 
 		if (check != checksum)


Commit: 66ef65a81ee14ade7f3b10518b4e54e17a60241b
    https://github.com/scummvm/scummvm/commit/66ef65a81ee14ade7f3b10518b4e54e17a60241b
Author: Le Philousophe (lephilousophe at users.noreply.github.com)
Date: 2025-01-24T23:37:04+01:00

Commit Message:
DIRECTOR: Fix out of bound access while calling transformColor

The values read are in fact signed values but centered around 0x80.
So, 0 means 0x80 while 0x80 means 0.
Xoring the high order bit is enough for this and it's already done like
this at line 222 in the file.
This fixes an out of bound read when the value 0x80 is read (off by
one).

Changed paths:
    engines/director/frame.cpp


diff --git a/engines/director/frame.cpp b/engines/director/frame.cpp
index c7327d4afcc..f9a77b8a4dc 100644
--- a/engines/director/frame.cpp
+++ b/engines/director/frame.cpp
@@ -304,7 +304,7 @@ void readSpriteDataD2(Common::SeekableReadStreamEndian &stream, Sprite &sprite,
 				stream.readByte();
 			} else {
 				// Normalize D2 and D3 colors from -128 ... 127 to 0 ... 255.
-				sprite._foreColor = g_director->transformColor((128 + stream.readByte()) & 0xff);
+				sprite._foreColor = g_director->transformColor(stream.readByte() ^ 0x80);
 			}
 			break;
 		case 3:
@@ -312,7 +312,7 @@ void readSpriteDataD2(Common::SeekableReadStreamEndian &stream, Sprite &sprite,
 				stream.readByte();
 			} else {
 				// Normalize D2 and D3 colors from -128 ... 127 to 0 ... 255.
-				sprite._backColor = g_director->transformColor((128 + stream.readByte()) & 0xff);
+				sprite._backColor = g_director->transformColor(stream.readByte() ^ 0x80);
 			}
 			break;
 		case 4:
@@ -506,8 +506,8 @@ void Frame::readMainChannelsD4(Common::MemoryReadStreamEndian &stream, uint16 of
 			break;
 		case 22:
 			// loop points for color cycling
-			_mainChannels.palette.firstColor = g_director->transformColor(stream.readByte() + 0x80); // 22
-			_mainChannels.palette.lastColor = g_director->transformColor(stream.readByte() + 0x80); // 23
+			_mainChannels.palette.firstColor = g_director->transformColor(stream.readByte() ^ 0x80); // 22
+			_mainChannels.palette.lastColor = g_director->transformColor(stream.readByte() ^ 0x80); // 23
 			break;
 		case 24:
 			_mainChannels.palette.flags = stream.readByte(); // 24
@@ -826,8 +826,8 @@ void Frame::readMainChannelsD5(Common::MemoryReadStreamEndian &stream, uint16 of
 			_mainChannels.palette.overTime = (_mainChannels.palette.flags & 0x04) != 0;
 			break;
 		case 30:
-			_mainChannels.palette.firstColor = g_director->transformColor(stream.readByte() + 0x80); // 30
-			_mainChannels.palette.lastColor = g_director->transformColor(stream.readByte() + 0x80); // 31
+			_mainChannels.palette.firstColor = g_director->transformColor(stream.readByte() ^ 0x80); // 30
+			_mainChannels.palette.lastColor = g_director->transformColor(stream.readByte() ^ 0x80); // 31
 			break;
 		case 32:
 			_mainChannels.palette.frameCount = stream.readUint16(); // 32

More information about the Scummvm-git-logs mailing list