[Scummvm-tracker] [ScummVM :: Bugs] #15884: SCUMM: INDY4: ASan o5_stringOps() heap buffer-overflow in copy-protection screen
ScummVM :: Bugs
trac at scummvm.org
Thu May 1 13:48:18 UTC 2025
#15884: SCUMM: INDY4: ASan o5_stringOps() heap buffer-overflow in copy-protection
screen
---------------------+------------------------------
Reporter: dwatteau | Owner: (none)
Type: defect | Status: new
Priority: normal | Component: Engine: SCUMM
Version: | Resolution:
Keywords: | Game: Indiana Jones 4
---------------------+------------------------------
Comment (by eriktorbjorn):
I get the impression that the string it's looking at is a sort of
"overlay" for the circles to figure out what the mouse is currently above.
It's 13x17 characters:
{{{
0 0 0 0 0 1 1 1 0 0 0 0 0
0 0 0 1 1 1 1 1 1 1 0 0 0
0 0 1 1 2 2 2 2 2 1 1 0 0
0 1 1 2 2 8 8 8 2 2 1 1 0
0 1 1 2 3 8 8 8 3 2 1 1 0
1 1 2 2 3 4 4 4 3 2 2 1 1
1 1 2 2 5 4 4 4 6 6 2 1 1
1 1 2 2 3 3 4 3 3 2 2 1 1
1 1 2 2 3 7 7 7 3 2 2 1 1
1 1 2 2 3 7 7 7 3 2 2 1 1
1 1 2 2 2 3 7 3 2 2 2 1 1
1 1 1 2 2 2 2 2 2 2 1 1 1
0 1 1 1 2 2 2 2 2 1 1 1 0
0 1 1 1 1 2 2 2 1 1 1 1 0
0 0 1 1 1 1 1 1 1 1 1 0 0
0 0 0 1 1 1 1 1 1 1 0 0 0
0 0 0 0 1 1 1 1 1 0 0 0 0
}}}
Each character in the string corresponds to a 16x10 pixel area, I think?
It checks that the mouse X coordinate is inside the valid range (53-261),
but it has no corresponding check to see if the mouse Y coordinates. So if
the mouse goes above Y coordinate 21, it's you get a negative index.
It extracts the corresponding character from the string, and checks if it
is ASCII code 49-56, i.e. "1"-"8". For any other character (i.e. "0") it
does nothing.
This seems like a script bug to me, and it should be safe - in for this
particular script - to return 48 ("0") for any negative index. I think.
--
Ticket URL: <https://bugs.scummvm.org/ticket/15884#comment:3>
ScummVM :: Bugs <https://bugs.scummvm.org>
ScummVM
More information about the Scummvm-tracker
mailing list