KYRA: (LOL) Fix buffer overflow in _lastOverridePalFile

It was storing filenames of length 12 in a char[12] buffer.
Fixes bug #9627.

2 files changed, 7 insertions, 10 deletions

diff --git a/engines/kyra/lol.h b/engines/kyra/lol.h
index af58397200..9f952e5df6 100644
--- a/engines/kyra/lol.h
+++ b/engines/kyra/lol.h
@@ -987,8 +987,7 @@ private:
 	uint16 _specialGuiShapeY;
 	uint16 _specialGuiShapeMirrorFlag;
 
-	char _lastOverridePalFile[12];
-	char *_lastOverridePalFilePtr;
+	Common::String _lastOverridePalFile;
 	int _lastSpecialColor;
 	int _lastSpecialColorWeight;
 
diff --git a/engines/kyra/scene_lol.cpp b/engines/kyra/scene_lol.cpp
index 391de5e49c..a746080190 100644
--- a/engines/kyra/scene_lol.cpp
+++ b/engines/kyra/scene_lol.cpp
@@ -303,12 +303,10 @@ void LoLEngine::loadLevelGraphics(const char *file, int specialColor, int weight
 		_lastSpecialColor = specialColor;
 		_lastSpecialColorWeight = weight;
 		strcpy(_lastBlockDataFile, file);
-		if (palFile) {
-			strcpy(_lastOverridePalFile, palFile);
-			_lastOverridePalFilePtr = _lastOverridePalFile;
-		} else {
-			_lastOverridePalFilePtr = 0;
-		}
+		if (palFile)
+			_lastOverridePalFile = palFile;
+		else
+			_lastOverridePalFile.clear();
 	}
 
 	if (_flags.use16ColorMode) {
@@ -361,8 +359,8 @@ void LoLEngine::loadLevelGraphics(const char *file, int specialColor, int weight
 		memcpy(_vcnColTable, v, 128);
 		v += 128;
 
-		if (_lastOverridePalFilePtr) {
-			_res->loadFileToBuf(_lastOverridePalFilePtr, _screen->getPalette(0).getData(), 384);
+		if (!_lastOverridePalFile.empty()) {
+			_res->loadFileToBuf(_lastOverridePalFile.c_str(), _screen->getPalette(0).getData(), 384);
 		} else {
 			_screen->getPalette(0).copy(v, 0, 128);
 		}