diff options
| author | Willem Jan Palenstijn | 2012-04-04 08:48:36 +0200 |
|---|---|---|
| committer | Willem Jan Palenstijn | 2012-04-04 08:54:58 +0200 |
| commit | a6ba9f150a19765956d4fb9ba750782f05f74f48 (patch) | |
| tree | cc165b252bda5b5544fde2c1c0d80a6e28f620a4 | |
| parent | 793dcda650478ff56d4a6125fbd37f729a70bc8b (diff) | |
| download | scummvm-rg350-a6ba9f150a19765956d4fb9ba750782f05f74f48.tar.gz scummvm-rg350-a6ba9f150a19765956d4fb9ba750782f05f74f48.tar.bz2 scummvm-rg350-a6ba9f150a19765956d4fb9ba750782f05f74f48.zip | |
SCUMM/ARM: Fix crashes in ARM asm costume renderer
It was possible to bypass the initialization of r11, and
mask was being read before the corresponding bounds check.
Thanks to fuzzie for analysis and LordHoto for testing.
This fixes bug #3500023 and a crash in the DOTT ending.
| -rw-r--r-- | engines/scumm/proc3ARM.s | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/engines/scumm/proc3ARM.s b/engines/scumm/proc3ARM.s index 5833bcf90b..ca44386b5c 100644 --- a/engines/scumm/proc3ARM.s +++ b/engines/scumm/proc3ARM.s @@ -153,6 +153,7 @@ _ClassicProc3RendererShadowARM: STR r12,[r13,#height] STR r14,[r13,#len] LDR r12,[r13,#pitch] + LDR r11,[r13,#_numStrips] B startpos outerloop: @@ -231,13 +232,13 @@ innerloop: CMPLE r0,r14 @ || _scaleY >= r14 BLE startpos - LDRB r14,[r10],r11 @ r14 = mask[0] mask += _numStrips ADDS r4,r4,#1 @ y >= 0 (equiv to y>-1,y+1>0) CMPGT r1,#0 @ && color > 0 CMPGT r6,r4 @ && _out.h+1 > y+1 CMNGT r3,#1 @ && x >= 0 (equiv to x>-1,x+1>0) CMPGT r7,r3 @ && _out.w > x BLE masked + LDRB r14,[r10] @ r14 = mask[0] TST r14,r8 @ && !(mask[0] && maskbit) LDREQ r14,[r13,#_palette] BNE masked @@ -256,6 +257,7 @@ innerloop: @ stallEQ STRB r14,[r9] @ *dst = pcolor masked: + ADD r10,r10,r11 @ mask += _numStrips ADD r9,r9,r12 @ dst += _out.pitch startpos: SUBS r5,r5,#1 @ loopCount -=1 |