diff options
| author | D G Turner | 2011-11-25 06:30:10 +0000 |
|---|---|---|
| committer | D G Turner | 2011-11-25 06:30:10 +0000 |
| commit | a0dbe45a454f8b64efb784131b13b942ee060675 (patch) | |
| tree | 085ace333d8c8bdacaf83ad2d3f6014d5db370a1 | |
| parent | c451bd4340cc8d76e1ba6bb55d3d75b67c38e4cf (diff) | |
| download | scummvm-rg350-a0dbe45a454f8b64efb784131b13b942ee060675.tar.gz scummvm-rg350-a0dbe45a454f8b64efb784131b13b942ee060675.tar.bz2 scummvm-rg350-a0dbe45a454f8b64efb784131b13b942ee060675.zip | |
DRASCULA: Add fix for crash/OOB memory accesses in bug #3440895
This bug is "DRASCULA-IT: Crash/graphic glitch at castle towers".
The crash was due to width and height values being passed to
copyBackground() being invalid due to out of bounds read from
the factor_red array. This adds debugging statements and fixes
the crash by clipping accesses to the maximum index of factor_red.
This doesn't however fix the observed GFX glitch, but stops it being
a segfault.
| -rw-r--r-- | engines/drascula/graphics.cpp | 1 | ||||
| -rw-r--r-- | engines/drascula/talk.cpp | 25 |
2 files changed, 14 insertions, 12 deletions
diff --git a/engines/drascula/graphics.cpp b/engines/drascula/graphics.cpp index f9f6c1f58c..590561f0bd 100644 --- a/engines/drascula/graphics.cpp +++ b/engines/drascula/graphics.cpp @@ -154,6 +154,7 @@ void DrasculaEngine::showFrame(Common::SeekableReadStream *stream, bool firstFra } void DrasculaEngine::copyBackground(int xorg, int yorg, int xdes, int ydes, int width, int height, byte *src, byte *dest) { + debug(1, "DrasculaEngine::copyBackground(xorg:%d, yorg:%d, xdes:%d, ydes:%d width:%d height:%d, src, dest)", xorg, yorg, xdes, ydes, width,height); dest += xdes + ydes * 320; src += xorg + yorg * 320; /* Unoptimized code diff --git a/engines/drascula/talk.cpp b/engines/drascula/talk.cpp index c97191fc0a..a326852e96 100644 --- a/engines/drascula/talk.cpp +++ b/engines/drascula/talk.cpp @@ -372,6 +372,7 @@ void DrasculaEngine::talk(int index) { } void DrasculaEngine::talk(const char *said, const char *filename) { + debug(1, "DrasculaEngine::talk(said:\"%s\", filename:\"%s\")", said, filename); int talkOffset = 0; if (currentChapter != 2) talkOffset = 1; @@ -414,8 +415,8 @@ void DrasculaEngine::talk(const char *said, const char *filename) { if (currentChapter == 2) copyBackground(curX, curY, OBJWIDTH + 1, 0, curWidth, talkHeight - 1, screenSurface, drawSurface3); else - copyBackground(curX, curY, OBJWIDTH + 1, 0, (int)(((float)curWidth / 100) * factor_red[curY + curHeight]), - (int)(((float)(talkHeight - 1) / 100) * factor_red[curY + curHeight]), + copyBackground(curX, curY, OBJWIDTH + 1, 0, (int)(((float)curWidth / 100) * factor_red[MIN(201, curY + curHeight)]), + (int)(((float)(talkHeight - 1) / 100) * factor_red[MIN(201, curY + curHeight)]), screenSurface, drawSurface3); moveCharacters(); @@ -424,8 +425,8 @@ void DrasculaEngine::talk(const char *said, const char *filename) { if (!strcmp(menuBackground, "99.alg") || !strcmp(menuBackground, "994.alg")) copyBackground(OBJWIDTH + 1, 0, curX, curY, curWidth, talkHeight - 1, drawSurface3, screenSurface); } else { - copyBackground(OBJWIDTH + 1, 0, curX, curY, (int)(((float)curWidth / 100) * factor_red[curY + curHeight]), - (int)(((float)(talkHeight - 1) / 100) * factor_red[curY + curHeight]), + copyBackground(OBJWIDTH + 1, 0, curX, curY, (int)(((float)curWidth / 100) * factor_red[MIN(201, curY + curHeight)]), + (int)(((float)(talkHeight - 1) / 100) * factor_red[MIN(201, curY + curHeight)]), drawSurface3, screenSurface); } @@ -434,8 +435,8 @@ void DrasculaEngine::talk(const char *said, const char *filename) { copyRect(x_talk_izq[face], y_mask_talk, curX + 8, curY - 1, talkWidth, talkHeight, extraSurface, screenSurface); else - reduce_hare_chico(x_talk_izq[face], y_mask_talk, curX + (int)((8.0f / 100) * factor_red[curY + curHeight]), - curY, talkWidth, talkHeight, factor_red[curY + curHeight], + reduce_hare_chico(x_talk_izq[face], y_mask_talk, curX + (int)((8.0f / 100) * factor_red[MIN(201, curY + curHeight)]), + curY, talkWidth, talkHeight, factor_red[MIN(201, curY + curHeight)], extraSurface, screenSurface); updateRefresh(); @@ -444,8 +445,8 @@ void DrasculaEngine::talk(const char *said, const char *filename) { copyRect(x_talk_dch[face], y_mask_talk, curX + 12, curY, talkWidth, talkHeight, extraSurface, screenSurface); else - reduce_hare_chico(x_talk_dch[face], y_mask_talk, curX + (int)((12.0f / 100) * factor_red[curY + curHeight]), - curY, talkWidth, talkHeight, factor_red[curY + curHeight], extraSurface, screenSurface); + reduce_hare_chico(x_talk_dch[face], y_mask_talk, curX + (int)((12.0f / 100) * factor_red[MIN(201, curY + curHeight)]), + curY, talkWidth, talkHeight, factor_red[MIN(201, curY + curHeight)], extraSurface, screenSurface); updateRefresh(); } else if (trackProtagonist == 2) { if (currentChapter == 2) @@ -453,8 +454,8 @@ void DrasculaEngine::talk(const char *said, const char *filename) { frontSurface, screenSurface); else reduce_hare_chico(x_talk_izq[face], y_mask_talk, - talkOffset + curX + (int)((12.0f / 100) * factor_red[curY + curHeight]), - curY, talkWidth, talkHeight, factor_red[curY + curHeight], + talkOffset + curX + (int)((12.0f / 100) * factor_red[MIN(201, curY + curHeight)]), + curY, talkWidth, talkHeight, factor_red[MIN(201, curY + curHeight)], frontSurface, screenSurface); updateRefresh(); } else if (trackProtagonist == 3) { @@ -463,8 +464,8 @@ void DrasculaEngine::talk(const char *said, const char *filename) { frontSurface, screenSurface); else reduce_hare_chico(x_talk_dch[face], y_mask_talk, - talkOffset + curX + (int)((8.0f / 100) * factor_red[curY + curHeight]), - curY, talkWidth,talkHeight, factor_red[curY + curHeight], + talkOffset + curX + (int)((8.0f / 100) * factor_red[MIN(201, curY + curHeight)]), + curY, talkWidth,talkHeight, factor_red[MIN(201, curY + curHeight)], frontSurface, screenSurface); updateRefresh(); } |