GNAP: Fix potential out of bound write

author: Strangerke 2016-06-08 07:46:35 +0200
committer: Strangerke 2016-06-08 07:46:35 +0200
commit: 32f9b9243117a59b62e381655e7e253e6e6fad00 (patch)
tree: 2263dd28b41db5489e3688876763f6063e29c32f /engines/gnap/gamesys.cpp
parent: 245ae4011b589a1c6298c7ee8d21f9cd1df07b85 (diff)
download: scummvm-rg350-32f9b9243117a59b62e381655e7e253e6e6fad00.tar.gz
scummvm-rg350-32f9b9243117a59b62e381655e7e253e6e6fad00.tar.bz2
scummvm-rg350-32f9b9243117a59b62e381655e7e253e6e6fad00.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/engines/gnap/gamesys.cpp b/engines/gnap/gamesys.cpp
index d31854d06e..11ef6fd3d7 100644
--- a/engines/gnap/gamesys.cpp
+++ b/engines/gnap/gamesys.cpp
@@ -1116,7 +1116,10 @@ void GameSys::fatUpdateFrame() {
 	if (_newSpriteDrawItemsCount > 0) {
 		debugC(kDebugBasic, "_newSpriteDrawItemsCount: %d", _newSpriteDrawItemsCount);
 		for (int k = 0; k < _newSpriteDrawItemsCount; ++k) {
-			if (_gfxItemsCount < 50) {
+			// The original was allowing a buffer overflow.
+			// In order to fit in memory, insertIndex + 1 + (_gfxItemsCount - InsertIndex) must be
+			// smaller than the size _gfxItems array (50).
+			if (_gfxItemsCount + 1 < 50) {
 				int insertIndex;
 				seqLocateGfx(-1, _newSpriteDrawItems[k]._id, &insertIndex);
 				if (_gfxItemsCount != insertIndex)
author	Strangerke	2016-06-08 07:46:35 +0200
committer	Strangerke	2016-06-08 07:46:35 +0200
commit	32f9b9243117a59b62e381655e7e253e6e6fad00 (patch)
tree	2263dd28b41db5489e3688876763f6063e29c32f /engines/gnap/gamesys.cpp
parent	245ae4011b589a1c6298c7ee8d21f9cd1df07b85 (diff)
download	scummvm-rg350-32f9b9243117a59b62e381655e7e253e6e6fad00.tar.gz scummvm-rg350-32f9b9243117a59b62e381655e7e253e6e6fad00.tar.bz2 scummvm-rg350-32f9b9243117a59b62e381655e7e253e6e6fad00.zip