diff options
| author | Colin Snover | 2017-11-11 12:28:22 -0600 |
|---|---|---|
| committer | Colin Snover | 2017-11-11 16:19:23 -0600 |
| commit | f99c83c0a003834a8d3d9f2f608f447cb21df3f1 (patch) | |
| tree | c8e4ffc9c9d3a2dd06fac3979707f35bff51dad8 | |
| parent | 406ff7db10089ad502cf5a80a3534dd82c371ef7 (diff) | |
| download | scummvm-rg350-f99c83c0a003834a8d3d9f2f608f447cb21df3f1.tar.gz scummvm-rg350-f99c83c0a003834a8d3d9f2f608f447cb21df3f1.tar.bz2 scummvm-rg350-f99c83c0a003834a8d3d9f2f608f447cb21df3f1.zip | |
DREAMWEB: Fix out-of-bounds read of frame animation data
The game reads until it sees 0xFF, which is not until frame 14 for
some animations in the first interactive room of the game. This
happened to work previously because the struct is packed so it
would read into the b31.. members, but this was still technically
an out-of-bounds read.
| -rw-r--r-- | engines/dreamweb/structs.h | 30 |
1 files changed, 1 insertions, 29 deletions
diff --git a/engines/dreamweb/structs.h b/engines/dreamweb/structs.h index cc300e8931..58ce03dcc5 100644 --- a/engines/dreamweb/structs.h +++ b/engines/dreamweb/structs.h @@ -77,35 +77,7 @@ struct SetObject { uint8 objId[4]; uint8 b16; uint8 index; - uint8 frames[13]; // Table mapping animFrame to sprite frame number - // NB: Don't know the size yet - uint8 b31; - uint8 b32; - uint8 b33; - uint8 b34; - uint8 b35; - uint8 b36; - uint8 b37; - uint8 b38; - uint8 b39; - uint8 b40; - uint8 b41; - uint8 b42; - uint8 b43; - uint8 b44; - uint8 b45; - uint8 b46; - uint8 b47; - uint8 b48; - uint8 b49; - uint8 b50; - uint8 b51; - uint8 b52; - uint8 b53; - uint8 b54; - uint8 b55; - uint8 b56; - uint8 b57; + uint8 frames[40]; // Table mapping animFrame to sprite frame number uint8 mapad[5]; uint8 b63; } PACKED_STRUCT; |