aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Gilbert2012-10-28 23:36:57 +1100
committerPaul Gilbert2012-10-28 23:36:57 +1100
commit2ec42212faa45ea8f12cbebda87f2ccb51fd2d49 (patch)
treef9a1bbf7f10ca31cc40f01197a49deac565397d3
parentf7770dce2d0e999a41cea2df5e3b33c18200ebbc (diff)
downloadscummvm-rg350-2ec42212faa45ea8f12cbebda87f2ccb51fd2d49.tar.gz
scummvm-rg350-2ec42212faa45ea8f12cbebda87f2ccb51fd2d49.tar.bz2
scummvm-rg350-2ec42212faa45ea8f12cbebda87f2ccb51fd2d49.zip
HOPKINS: Fix buffer overruns in the PLAY_SEQ2 method
-rw-r--r--engines/hopkins/anim.cpp24
1 files changed, 13 insertions, 11 deletions
diff --git a/engines/hopkins/anim.cpp b/engines/hopkins/anim.cpp
index 8eaf8bd5be..1d4e867af5 100644
--- a/engines/hopkins/anim.cpp
+++ b/engines/hopkins/anim.cpp
@@ -1122,10 +1122,10 @@ void AnimationManager::PLAY_SEQ2(const Common::String &a1, uint32 a2, uint32 a3,
bool v4;
bool v5;
int v7;
- byte *ptr;
+ byte *ptr = NULL;
byte *ptra;
byte *v10;
- byte *v11;
+ byte *v11 = NULL;
int v13;
int v14;
int v15;
@@ -1134,11 +1134,13 @@ void AnimationManager::PLAY_SEQ2(const Common::String &a1, uint32 a2, uint32 a3,
int v18;
char v19;
size_t nbytes;
- byte buf[4];
Common::File f;
v7 = 0;
- while (!_vm->shouldQuit()) {
+ for (;;) {
+ if (_vm->shouldQuit())
+ return;
+
v15 = 0;
v14 = 0;
v17 = 0;
@@ -1152,9 +1154,9 @@ void AnimationManager::PLAY_SEQ2(const Common::String &a1, uint32 a2, uint32 a3,
if (!f.open(_vm->_globals.NFICHIER))
error("File not found - %s", _vm->_globals.NFICHIER.c_str());
- f.read(&buf, 6u);
+ f.skip(6);
f.read(_vm->_graphicsManager.Palette, 0x320u);
- f.read(&buf, 4u);
+ f.skip(4);
nbytes = f.readUint32LE();
v19 = f.readUint32LE();
v18 = f.readUint16LE();
@@ -1170,8 +1172,10 @@ void AnimationManager::PLAY_SEQ2(const Common::String &a1, uint32 a2, uint32 a3,
memcpy((void *)ptr, v10, 0x4B000u);
}
if (_vm->_animationManager.NO_SEQ) {
- if (v7 == 1)
+ if (v7 == 1) {
+ assert(ptr != NULL);
memcpy((void *)ptr, _vm->_graphicsManager.VESA_BUFFER, 0x4B000u);
+ }
_vm->_graphicsManager.setpal_vga256(_vm->_graphicsManager.Palette);
} else {
_vm->_graphicsManager.DD_Lock();
@@ -1221,7 +1225,6 @@ LABEL_23:
while (!_vm->shouldQuit()) {
_vm->_soundManager.PLAY_ANM_SOUND(v13++);
- memset(&buf, 0, 6u);
memset(v11, 0, 0x13u);
if (f.read(v11, 16) != 16)
v4 = true;
@@ -1283,9 +1286,9 @@ LABEL_54:
ptra = _vm->_globals.dos_malloc2(0x4B000u);
f.seek(0);
- f.read(&buf, 6u);
+ f.skip(6);
f.read(_vm->_graphicsManager.Palette, 0x320u);
- f.read(&buf, 4u);
+ f.skip(4);
nbytes = f.readUint32LE();
v19 = f.readUint32LE();
v18 = f.readUint16LE();
@@ -1298,7 +1301,6 @@ LABEL_54:
memcpy(ptra, v10, 0x4B000u);
v5 = false;
do {
- memset(&buf, 0, 6u);
memset(v11, 0, 0x13u);
if (f.read(v11, 16) != 16)
v5 = true;