ZVISION: Fix some buffer overruns with the usage of sscanf()

2 files changed, 3 insertions, 3 deletions

diff --git a/engines/zvision/scripting/controls/input_control.cpp b/engines/zvision/scripting/controls/input_control.cpp
index e75cc15743..d7734f6d7a 100644
--- a/engines/zvision/scripting/controls/input_control.cpp
+++ b/engines/zvision/scripting/controls/input_control.cpp
@@ -96,7 +96,7 @@ InputControl::InputControl(ZVision *engine, uint32 key, Common::SeekableReadStre
 		} else if (param.matchString("cursor_animation", true)) {
 			char fileName[25];
 
-			sscanf(values.c_str(), "%25s %*u", fileName);
+			sscanf(values.c_str(), "%24s %*u", fileName);
 
 			_animation = _engine->loadAnimation(fileName);
 			_frame = -1;
diff --git a/engines/zvision/scripting/controls/lever_control.cpp b/engines/zvision/scripting/controls/lever_control.cpp
index 8faa18357c..bef51f0e91 100644
--- a/engines/zvision/scripting/controls/lever_control.cpp
+++ b/engines/zvision/scripting/controls/lever_control.cpp
@@ -64,12 +64,12 @@ LeverControl::LeverControl(ZVision *engine, uint32 key, Common::SeekableReadStre
 	while (!stream.eos() && !line.contains('}')) {
 		if (param.matchString("descfile", true)) {
 			char levFileName[25];
-			sscanf(values.c_str(), "%25s", levFileName);
+			sscanf(values.c_str(), "%24s", levFileName);
 
 			parseLevFile(levFileName);
 		} else if (param.matchString("cursor", true)) {
 			char cursorName[25];
-			sscanf(values.c_str(), "%25s", cursorName);
+			sscanf(values.c_str(), "%24s", cursorName);
 
 			_cursor = _engine->getCursorManager()->getCursorId(Common::String(cursorName));
 		}