diff options
| author | Colin Snover | 2017-04-12 21:01:11 -0500 |
|---|---|---|
| committer | Colin Snover | 2017-04-16 12:23:35 -0500 |
| commit | 4946f149b40ca421e7da6cad64ffbbf1b37744e3 (patch) | |
| tree | 089d63ff94039f880d0108e77d8f299139ec4f0c /engines/sci/sound/midiparser_sci.h | |
| parent | fa27fd7478f3326228cb16f4c0e392639aaed4a1 (diff) | |
| download | scummvm-rg350-4946f149b40ca421e7da6cad64ffbbf1b37744e3.tar.gz scummvm-rg350-4946f149b40ca421e7da6cad64ffbbf1b37744e3.tar.bz2 scummvm-rg350-4946f149b40ca421e7da6cad64ffbbf1b37744e3.zip | |
SCI: Improve MidiParser_SCI robustness against bad sound resources
1. KQ4 sound 104 has an extra 0xFC (MIDI Stop command/kEndOfTrack)
at the end of the resource, which causes an out-of-bounds read
because the filtering loop continues after the first 0xFC and
unconditionally attempts to read 2 bytes (expecting there to
always be a delta value + a command, whereas in this file there
is only another kEndOfTrack command). This is corrected by
exiting the filtering loop when a kEndOfTrack is encountered
and there is not enough data remaining in the resource to
continue reading.
2. KQ5 sound 699 is truncated, which causes the parser to attempt
to read past the end of the resource. This is addressed by
adding bounds checks that exit the mix loop early if there is
no more data available to read. This allows truncated sounds
to be played as far as possible (previously, trying to read
truncated resources would result in a fatal error).
3. midiMixChannels allocates an arbitrary amount of raw memory
for the mixed MIDI sequence, without performing any bounds
checking when writing to this memory, potentially leading to
a crash or silent corruption of adjacent memory. This is
mitigated by using SciSpan instead of a raw pointer for the
mixed data.
Fixes Trac#9727.
Diffstat (limited to 'engines/sci/sound/midiparser_sci.h')
| -rw-r--r-- | engines/sci/sound/midiparser_sci.h | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/engines/sci/sound/midiparser_sci.h b/engines/sci/sound/midiparser_sci.h index 15c01977bd..78abb31257 100644 --- a/engines/sci/sound/midiparser_sci.h +++ b/engines/sci/sound/midiparser_sci.h @@ -76,7 +76,7 @@ public: void allNotesOff(); - const byte *getMixedData() const { return _mixedData; } + const SciSpan<const byte> &getMixedData() const { return *_mixedData; } byte getSongReverb(); void sendFromScriptToDriver(uint32 midi); @@ -90,8 +90,8 @@ public: protected: void parseNextEvent(EventInfo &info); bool processEvent(const EventInfo &info, bool fireEvents = true); - byte *midiMixChannels(); - byte *midiFilterChannels(int channelMask); + void midiMixChannels(); + void midiFilterChannels(int channelMask); byte midiGetNextChannel(long ticker); void resetStateTracking(); void trackState(uint32 midi); @@ -103,7 +103,7 @@ protected: bool _mainThreadCalled; SciVersion _soundVersion; - byte *_mixedData; + Common::SpanOwner<SciSpan<const byte> > _mixedData; SoundResource::Track *_track; MusicEntry *_pSnd; uint32 _loopTick; |