diff options
author | Zhiqi Yin | 2019-03-09 21:10:48 -0800 |
---|---|---|
committer | Eugene Sandulenko | 2019-03-12 00:25:25 +0100 |
commit | efa9717c691ef488f7b0ab3f04bd71b734b881e5 (patch) | |
tree | 3cba3b737b5408981a8e0f74364904aa86d15ec0 /engines/scumm/he/moonbase | |
parent | 672d216d113abcc11d3be1b0c76d2c251cfd8357 (diff) | |
download | scummvm-rg350-efa9717c691ef488f7b0ab3f04bd71b734b881e5.tar.gz scummvm-rg350-efa9717c691ef488f7b0ab3f04bd71b734b881e5.tar.bz2 scummvm-rg350-efa9717c691ef488f7b0ab3f04bd71b734b881e5.zip |
SCUMM HE: Bug fix for moonbase stack memory corruption
What:
The bug is reproducible in the following ways:
1. quiting the game
2. enter challenge mode state 2, when the game starts move mouse around
the menu buttons (choose building or weapons)
Observed behavior: In he/wiz_he.cpp:2839, the function failed to return since
the stack around variable 'color' was corrupted. The game will crash then.
Analysis:
Since other function will modify memory area around local variable 'color',
the bug shoud be caused by memory overwritten. The memory write happens
in this modified file. From the code, it only wants to write a certain amount
of pixels. So I found 2 places where more pixels are written. This causes
stack memory corruption.
Fix:
Add checking. If we have written enough pixels then break.
Testing:
The game UI looks correct. Single player mode game is tested.
Bug no longer observable. Tested for both cases mentioned above.
Diffstat (limited to 'engines/scumm/he/moonbase')
-rw-r--r-- | engines/scumm/he/moonbase/moonbase.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/engines/scumm/he/moonbase/moonbase.cpp b/engines/scumm/he/moonbase/moonbase.cpp index 941f32db23..1e8c8fa557 100644 --- a/engines/scumm/he/moonbase/moonbase.cpp +++ b/engines/scumm/he/moonbase/moonbase.cpp @@ -175,6 +175,8 @@ void Moonbase::blitT14WizImage(uint8 *dst, int dstw, int dsth, int dstPitch, con } src += 2; pixels++; + if (pixels >= cx + sx) + break; } } else { // skip if ((code & 1) == 0) { @@ -184,6 +186,8 @@ void Moonbase::blitT14WizImage(uint8 *dst, int dstw, int dsth, int dstPitch, con if (pixels >= sx) dst1 += 2; pixels++; + if (pixels >= cx + sx) + break; } } else { // special case if (pixels >= sx) { |