SCI: Truncate channel data in case it goes beyond resource size

Fixes invalid memory access during kq5 floppy ending
author: Martin Kiewitz 2016-03-08 03:36:02 +0100
committer: Martin Kiewitz 2016-03-08 03:36:02 +0100
commit: 6779340b244fdb6b9643190c3beaa8ddbd4253e0 (patch)
tree: 5bf9f0a104e92cdb33544c9fc6119a999b08aa8a
parent: 343f1c7f8b89a5e0445f3c3f6af18700be407362 (diff)
download: scummvm-rg350-6779340b244fdb6b9643190c3beaa8ddbd4253e0.tar.gz
scummvm-rg350-6779340b244fdb6b9643190c3beaa8ddbd4253e0.tar.bz2
scummvm-rg350-6779340b244fdb6b9643190c3beaa8ddbd4253e0.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/engines/sci/resource_audio.cpp b/engines/sci/resource_audio.cpp
index 82099413cb..5717a09121 100644
--- a/engines/sci/resource_audio.cpp
+++ b/engines/sci/resource_audio.cpp
@@ -688,6 +688,12 @@ SoundResource::SoundResource(uint32 resourceNr, ResourceManager *resMan, SciVers
 
 					channel->data = resource->data + dataOffset;
 					channel->size = READ_LE_UINT16(data + 4);
+
+					if (dataOffset + channel->size > resource->size) {
+						warning("Invalid size inside sound resource %d: track %d, channel %d", resourceNr, trackNr, channelNr);
+						channel->size = resource->size - dataOffset;
+					}
+
 					channel->curPos = 0;
 					channel->number = *channel->data;
author	Martin Kiewitz	2016-03-08 03:36:02 +0100
committer	Martin Kiewitz	2016-03-08 03:36:02 +0100
commit	6779340b244fdb6b9643190c3beaa8ddbd4253e0 (patch)
tree	5bf9f0a104e92cdb33544c9fc6119a999b08aa8a
parent	343f1c7f8b89a5e0445f3c3f6af18700be407362 (diff)
download	scummvm-rg350-6779340b244fdb6b9643190c3beaa8ddbd4253e0.tar.gz scummvm-rg350-6779340b244fdb6b9643190c3beaa8ddbd4253e0.tar.bz2 scummvm-rg350-6779340b244fdb6b9643190c3beaa8ddbd4253e0.zip