aboutsummaryrefslogtreecommitdiff
path: root/engines
diff options
context:
space:
mode:
authorsylvaintv2011-04-09 19:07:20 +0200
committersylvaintv2011-04-09 19:07:20 +0200
commit0db4498bd9af61274672f02f627ccb371e2b4f75 (patch)
tree77641a8adae1614625020cdb2445a5e6b95461c2 /engines
parentb0351e1b85a550ec4f2422d4439e5ce17150f5a3 (diff)
downloadscummvm-rg350-0db4498bd9af61274672f02f627ccb371e2b4f75.tar.gz
scummvm-rg350-0db4498bd9af61274672f02f627ccb371e2b4f75.tar.bz2
scummvm-rg350-0db4498bd9af61274672f02f627ccb371e2b4f75.zip
TOON: Fix more valgrind issues
Fix potential more invalid read issues in RIF loading
Diffstat (limited to 'engines')
-rw-r--r--engines/toon/hotspot.cpp2
-rw-r--r--engines/toon/tools.cpp17
2 files changed, 16 insertions, 3 deletions
diff --git a/engines/toon/hotspot.cpp b/engines/toon/hotspot.cpp
index ec2344d659..0573e92fef 100644
--- a/engines/toon/hotspot.cpp
+++ b/engines/toon/hotspot.cpp
@@ -127,7 +127,7 @@ bool Hotspots::LoadRif(Common::String rifName, Common::String additionalRifName)
decoder.unpackM1(rifData, size, _items);
if (rifsize2) {
RncDecoder decoder2;
- decoder2.unpackM1(rifData2 , size, _items + (rifsize >> 9));
+ decoder2.unpackM1(rifData2 , size2, _items + (rifsize >> 9));
for (int32 i = 0; i < (rifsize2 >> 9); i++) {
HotspotData *hot = _items + (rifsize >> 9) + i;
hot->setData(0, hot->getX1() + 1280);
diff --git a/engines/toon/tools.cpp b/engines/toon/tools.cpp
index bad796158a..da6e0f712e 100644
--- a/engines/toon/tools.cpp
+++ b/engines/toon/tools.cpp
@@ -373,8 +373,21 @@ int32 RncDecoder::unpackM1(const void *input, uint16 inputSize, void *output) {
_dstPtr += inputLength;
_srcPtr += inputLength;
_inputByteLeft -= inputLength;
- uint16 a = READ_LE_UINT16(_srcPtr);
- uint16 b = READ_LE_UINT16(_srcPtr + 2);
+ uint16 a;
+ if (_inputByteLeft <= 0)
+ a = 0;
+ else if (_inputByteLeft == 1)
+ a = *_srcPtr;
+ else
+ a = READ_LE_UINT16(_srcPtr);
+
+ uint16 b;
+ if (_inputByteLeft <= 2)
+ b = 0;
+ else if(_inputByteLeft == 3)
+ b = *(_srcPtr + 2);
+ else
+ b = READ_LE_UINT16(_srcPtr + 2);
_bitBuffl &= ((1 << _bitCount) - 1);
_bitBuffl |= (a << _bitCount);