diff options
| author | Colin Snover | 2016-03-14 10:22:41 -0500 |
|---|---|---|
| committer | Colin Snover | 2016-03-18 10:28:51 -0500 |
| commit | b7d5dd9187d472df73075c2bb92d0a4f71726df7 (patch) | |
| tree | 86543edcb43081e07df3411e46b412198b560e56 /engines/sci/engine/kstring.cpp | |
| parent | 5917467c1b3faa97ec5a7b95eeface6d097cda77 (diff) | |
| download | scummvm-rg350-b7d5dd9187d472df73075c2bb92d0a4f71726df7.tar.gz scummvm-rg350-b7d5dd9187d472df73075c2bb92d0a4f71726df7.tar.bz2 scummvm-rg350-b7d5dd9187d472df73075c2bb92d0a4f71726df7.zip | |
SCI32: Fix heap overflow (read) in kStringCopy
Diffstat (limited to 'engines/sci/engine/kstring.cpp')
| -rw-r--r-- | engines/sci/engine/kstring.cpp | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/engines/sci/engine/kstring.cpp b/engines/sci/engine/kstring.cpp index f598cf7457..6d61ad5f41 100644 --- a/engines/sci/engine/kstring.cpp +++ b/engines/sci/engine/kstring.cpp @@ -781,7 +781,8 @@ reg_t kStringCopy(EngineState *s, int argc, reg_t *argv) { // Note: We're accessing from c_str() here because the // string's size ignores the trailing 0 and therefore // triggers an assert when doing string2[i + index2]. - for (uint16 i = 0; i < count; i++) + uint16 size = MIN(string2Size, count); + for (uint16 i = 0; i < size; i++) string1->setValue(i + index1, string2[i + index2]); return argv[0]; |