[Scummvm-git-logs] scummvm master -> c9ae26fe75b81201832d1ce941c001c4274b9baa

Wed Mar 11 15:38:20 UTC 2026

This automated email contains information about 1 new commit which have been
pushed to the 'scummvm' repo located at https://api.github.com/repos/scummvm/scummvm .

Summary:
c9ae26fe75 GAMOS: Fix possible Out-of-bounds access CID 1645142, 1645143, 1645149, 1645152, 1645153, 1645155


Commit: c9ae26fe75b81201832d1ce941c001c4274b9baa
    https://github.com/scummvm/scummvm/commit/c9ae26fe75b81201832d1ce941c001c4274b9baa
Author: Marisa-Chan (thunder_8888 at mail.ru)
Date: 2026-03-11T22:37:56+07:00

Commit Message:
GAMOS: Fix possible Out-of-bounds access CID 1645142, 1645143, 1645149, 1645152, 1645153, 1645155

Changed paths:
    engines/gamos/vm.cpp

diff --git a/engines/gamos/vm.cpp b/engines/gamos/vm.cpp
index cd140c53679..d770499cb6a 100644
--- a/engines/gamos/vm.cpp
+++ b/engines/gamos/vm.cpp
@@ -488,8 +488,15 @@ uint32 VM::Context::getMem32(int memtype, uint32 offset) {
 	case REF_UNK:
 		return 0; // Set here breakpoint for find what is going wrong
 
-	case REF_STACK:
-		return getU32(_stack + offset);
+	case REF_STACK:	{
+		if (offset < (sizeof(_stack) - 4))
+			return getU32(_stack + offset);
+		else {
+			error("getMem32(): Out of bounds read, memType: REF_STACK  offset: 0x%02X", offset);
+			return 0;
+		}
+	}
+
 
 	case REF_EBX:
 		return getU32(EBX + offset);
@@ -509,8 +516,15 @@ uint8 VM::Context::getMem8(int memtype, uint32 offset) {
 	case REF_UNK:
 		return 0; // Set here breakpoint for find what is going wrong
 
-	case REF_STACK:
-		return _stack[offset];
+	case REF_STACK: {
+		if (offset < sizeof(_stack))
+			return _stack[offset];
+		else {
+			error("getMem8(): Out of bounds read, memType: REF_STACK  offset: 0x%02X", offset);
+			return 0;
+		}
+	}
+
 
 	case REF_EBX:
 		return EBX[offset];
@@ -529,9 +543,13 @@ void VM::Context::setMem32(int memtype, uint32 offset, uint32 val) {
 	default:
 	case REF_UNK:
 		break; // Set here breakpoint for find what is going wrong
-	case REF_STACK:
-		setU32(_stack + offset, val);
-		break;
+	case REF_STACK: {
+		if (offset < (sizeof(_stack) - 4))
+			setU32(_stack + offset, val);
+		else
+			error("setMem32(): Out of bounds write, memType: REF_STACK  offset: 0x%02X", offset);
+	} break;
+
 	case REF_EBX:
 		setU32(EBX + offset, val);
 		break;
@@ -551,9 +569,13 @@ void VM::Context::setMem8(int memtype, uint32 offset, uint8 val) {
 	default:
 	case REF_UNK:
 		break; // Set here breakpoint for find what is going wrong
-	case REF_STACK:
-		_stack[offset] = val;
-		break;
+	case REF_STACK:	{
+		if (offset < sizeof(_stack))
+			_stack[offset] = val;
+		else
+			error("setMem8(): Out of bounds write, memType: REF_STACK  offset: 0x%02X", offset);
+	} break;
+
 	case REF_EBX:
 		EBX[offset] = val;
 		break;
@@ -703,11 +725,17 @@ Common::String VM::Context::getString(int memtype, uint32 offset, uint32 maxLen)
 		return Common::String();
 
 	case REF_STACK: {
+		if (offset >= sizeof(_stack)) {
+			error("getString(): Out of bounds read, memType: REF_STACK  offset: 0x%02X", offset);
+			return Common::String();
+		}
+
 		Common::String s = Common::String((const char *)_stack + offset);
 		if (s.size() > maxLen)
 			s.erase(maxLen);
 		return s;
 	}
+
 	case REF_EBX: {
 		Common::String s = Common::String((const char *)EBX + offset);
 		if (s.size() > maxLen)


