diff options
| author | Colin Snover | 2017-09-22 13:20:49 -0500 |
|---|---|---|
| committer | Colin Snover | 2017-09-23 20:37:51 -0500 |
| commit | 50cfb7ad46ff65ab038f4694bafb4d817ef8529e (patch) | |
| tree | 4bf047995c2b308babf8b0bf7ca357b0a3fe2442 | |
| parent | d74e94950b0945b66a478063a65fdf645208bd9d (diff) | |
| download | scummvm-rg350-50cfb7ad46ff65ab038f4694bafb4d817ef8529e.tar.gz scummvm-rg350-50cfb7ad46ff65ab038f4694bafb4d817ef8529e.tar.bz2 scummvm-rg350-50cfb7ad46ff65ab038f4694bafb4d817ef8529e.zip | |
SCI32: Fix size for dereferencing non-raw SCI32 arrays
The maxSize given when generating a SegmentRef is supposed to be
the maximum size of raw data that can be held inside the offset-
part of a reg_t, not the entire size including the segment.
This fixes a buffer overflow in "Inside the Chest", which still
does not work, but at least doesn't cause heap overflows anymore
with this change.
| -rw-r--r-- | engines/sci/engine/segment.h | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/engines/sci/engine/segment.h b/engines/sci/engine/segment.h index 8eca6713b3..ddb34582ab 100644 --- a/engines/sci/engine/segment.h +++ b/engines/sci/engine/segment.h @@ -505,10 +505,14 @@ public: } /** - * Returns the size of the array, in bytes. + * Returns the maximum number of bytes that can be stored in the array. */ uint16 byteSize() const { - return _size * _elementSize; + uint16 size = _size; + if (_type == kArrayTypeID || _type == kArrayTypeInt16) { + size *= sizeof(uint16); + } + return size; } /** @@ -892,7 +896,7 @@ public: break; } - return Common::String::format("type %s; %u entries; %u bytes", type, size(), byteSize()); + return Common::String::format("type %s; %u entries", type, size()); } protected: |