diff options
| author | Colin Snover | 2017-04-12 21:01:11 -0500 |
|---|---|---|
| committer | Colin Snover | 2017-04-16 12:23:35 -0500 |
| commit | 4946f149b40ca421e7da6cad64ffbbf1b37744e3 (patch) | |
| tree | 089d63ff94039f880d0108e77d8f299139ec4f0c /engines/titanic/star_control | |
| parent | fa27fd7478f3326228cb16f4c0e392639aaed4a1 (diff) | |
| download | scummvm-rg350-4946f149b40ca421e7da6cad64ffbbf1b37744e3.tar.gz scummvm-rg350-4946f149b40ca421e7da6cad64ffbbf1b37744e3.tar.bz2 scummvm-rg350-4946f149b40ca421e7da6cad64ffbbf1b37744e3.zip | |
SCI: Improve MidiParser_SCI robustness against bad sound resources
1. KQ4 sound 104 has an extra 0xFC (MIDI Stop command/kEndOfTrack)
at the end of the resource, which causes an out-of-bounds read
because the filtering loop continues after the first 0xFC and
unconditionally attempts to read 2 bytes (expecting there to
always be a delta value + a command, whereas in this file there
is only another kEndOfTrack command). This is corrected by
exiting the filtering loop when a kEndOfTrack is encountered
and there is not enough data remaining in the resource to
continue reading.
2. KQ5 sound 699 is truncated, which causes the parser to attempt
to read past the end of the resource. This is addressed by
adding bounds checks that exit the mix loop early if there is
no more data available to read. This allows truncated sounds
to be played as far as possible (previously, trying to read
truncated resources would result in a fatal error).
3. midiMixChannels allocates an arbitrary amount of raw memory
for the mixed MIDI sequence, without performing any bounds
checking when writing to this memory, potentially leading to
a crash or silent corruption of adjacent memory. This is
mitigated by using SciSpan instead of a raw pointer for the
mixed data.
Fixes Trac#9727.
Diffstat (limited to 'engines/titanic/star_control')
0 files changed, 0 insertions, 0 deletions