TOON: Fix several Valgrind issues

Maybe caused random crashes on reading invalid memory
author: sylvaintv 2011-04-06 23:07:11 +0200
committer: sylvaintv 2011-04-06 23:07:11 +0200
commit: 3dc87c4f3d775a75034779cf162129f914bd5a8c (patch)
tree: e66333a8c27b897c78d86ce16e9001669678a622 /engines
parent: 4f09018b00007fc9acc6ac7b7930aa57ae392d02 (diff)
download: scummvm-rg350-3dc87c4f3d775a75034779cf162129f914bd5a8c.tar.gz
scummvm-rg350-3dc87c4f3d775a75034779cf162129f914bd5a8c.tar.bz2
scummvm-rg350-3dc87c4f3d775a75034779cf162129f914bd5a8c.zip
7 files changed, 37 insertions, 9 deletions
diff --git a/engines/toon/character.cpp b/engines/toon/character.cpp
index a1bd3334c5..69051d45fd 100644
--- a/engines/toon/character.cpp
+++ b/engines/toon/character.cpp
@@ -64,6 +64,7 @@ Character::Character(ToonEngine *vm) : _vm(vm) {
 	_lastWalkTime = 0;
 	_numPixelToWalk = 0;
 	_nextIdleTime = _vm->getSystem()->getMillis() + (_vm->randRange(0, 600) + 300) * _vm->getTickLength();
+	_lineToSayId = 0;
 }
 
 Character::~Character(void) {
diff --git a/engines/toon/detection.cpp b/engines/toon/detection.cpp
index f8c4c08ce6..ef023564bc 100644
--- a/engines/toon/detection.cpp
+++ b/engines/toon/detection.cpp
@@ -91,6 +91,15 @@ static const ADGameDescription gameDescriptions[] = {
 		},
 		Common::DE_DEU, Common::kPlatformPC, ADGF_DEMO, GUIO_NONE
 	},
+	{
+		"toon", "",
+		{
+			{"local.pak", 0, "8ef3368078b9ea70b305c04db826feea", 2680573},
+			{"generic.svl", 0, "5c42724bb93b360dca7044d6b7ef26e5", 7739319},
+			AD_LISTEND
+		},
+		Common::EN_ANY, Common::kPlatformPC, ADGF_DEMO, GUIO_NONE
+	},
 
 	AD_TABLE_END_MARKER
 };
diff --git a/engines/toon/hotspot.cpp b/engines/toon/hotspot.cpp
index df55eadd05..ec2344d659 100644
--- a/engines/toon/hotspot.cpp
+++ b/engines/toon/hotspot.cpp
@@ -124,10 +124,10 @@ bool Hotspots::LoadRif(Common::String rifName, Common::String additionalRifName)
 
 	// RIFs are compressed in RNC1
 	RncDecoder decoder;
-	decoder.unpackM1(rifData, _items);
+	decoder.unpackM1(rifData, size, _items);
 	if (rifsize2) {
 		RncDecoder decoder2;
-		decoder2.unpackM1(rifData2 , _items + (rifsize >> 9));
+		decoder2.unpackM1(rifData2 , size, _items + (rifsize >> 9));
 		for (int32 i = 0; i < (rifsize2 >> 9); i++) {
 			HotspotData *hot = _items + (rifsize >> 9) + i;
 			hot->setData(0, hot->getX1() + 1280);
diff --git a/engines/toon/picture.cpp b/engines/toon/picture.cpp
index b0932bd32a..1945f0fe45 100644
--- a/engines/toon/picture.cpp
+++ b/engines/toon/picture.cpp
@@ -97,7 +97,7 @@ bool Picture::loadPicture(Common::String file, bool totalPalette /*= false*/) {
 
 		_data = new uint8[decSize];
 
-		rnc.unpackM1(fileData, _data);
+		rnc.unpackM1(fileData, size, _data);
 
 		// size can only be 640x400 or 1280x400
 		if (decSize > TOON_SCREEN_WIDTH * TOON_SCREEN_HEIGHT + 768)
diff --git a/engines/toon/tools.cpp b/engines/toon/tools.cpp
index e1478645db..bad796158a 100644
--- a/engines/toon/tools.cpp
+++ b/engines/toon/tools.cpp
@@ -200,7 +200,16 @@ uint16 RncDecoder::inputBits(uint8 amount) {
 		newBitBuffl >>= newBitCount;
 		newBitBuffl |= remBits;
 		_srcPtr += 2;
-		newBitBuffh = READ_LE_UINT16(_srcPtr);
+
+		// added some more check here to prevent reading in the buffer
+		// if there are no bytes anymore.
+		_inputByteLeft -= 2;
+		if (_inputByteLeft <= 0)
+			newBitBuffh = 0;
+		else if (_inputByteLeft == 1)
+			newBitBuffh = *_srcPtr;
+		else
+			newBitBuffh = READ_LE_UINT16(_srcPtr);
 		amount -= newBitCount;
 		newBitCount = 16 - amount;
 	}
@@ -283,7 +292,7 @@ int RncDecoder::getbit() {
 	return temp;
 }
 
-int32 RncDecoder::unpackM1(const void *input, void *output) {
+int32 RncDecoder::unpackM1(const void *input, uint16 inputSize, void *output) {
 	debugC(1, kDebugTools, "unpackM1(input, output)");
 
 	uint8 *outputLow, *outputHigh;
@@ -295,6 +304,8 @@ int32 RncDecoder::unpackM1(const void *input, void *output) {
 	uint16 crcUnpacked = 0;
 	uint16 crcPacked = 0;
 
+
+	_inputByteLeft = inputSize;
 	_bitBuffl = 0;
 	_bitBuffh = 0;
 	_bitCount = 0;
@@ -337,9 +348,12 @@ int32 RncDecoder::unpackM1(const void *input, void *output) {
 		_srcPtr = (_dstPtr - packLen);
 	}
 
+	_inputByteLeft -= HEADER_LEN;
+
 	_dstPtr = (uint8 *)output;
 	_bitCount = 0;
 
+
 	_bitBuffl = READ_LE_UINT16(_srcPtr);
 	inputBits(2);
 
@@ -358,6 +372,7 @@ int32 RncDecoder::unpackM1(const void *input, void *output) {
 				memcpy(_dstPtr, _srcPtr, inputLength); //memcpy is allowed here
 				_dstPtr += inputLength;
 				_srcPtr += inputLength;
+				_inputByteLeft -= inputLength;
 				uint16 a = READ_LE_UINT16(_srcPtr);
 				uint16 b = READ_LE_UINT16(_srcPtr + 2);
 
diff --git a/engines/toon/tools.h b/engines/toon/tools.h
index 1d8b4a6a5b..b716d4813a 100644
--- a/engines/toon/tools.h
+++ b/engines/toon/tools.h
@@ -63,10 +63,12 @@ protected:
 	const uint8 *_srcPtr;
 	uint8 *_dstPtr;
 
+	uint16 _inputByteLeft;
+
 public:
 	RncDecoder();
 	~RncDecoder();
-	int32 unpackM1(const void *input, void *output);
+	int32 unpackM1(const void *input, uint16 inputSize, void *output);
 	int32 unpackM2(const void *input, void *output);
 
 protected:
diff --git a/engines/toon/toon.cpp b/engines/toon/toon.cpp
index 0c7989f317..2040668245 100644
--- a/engines/toon/toon.cpp
+++ b/engines/toon/toon.cpp
@@ -1320,8 +1320,8 @@ void ToonEngine::loadAdditionalPalette(Common::String fileName, int32 mode) {
 		fixPaletteEntries(_additionalPalette2, 23);
 		break;
 	case 2:
-		memcpy(_cutawayPalette, palette, 768);
-		fixPaletteEntries(_cutawayPalette, 256);
+		memcpy(_cutawayPalette, palette, size);
+		fixPaletteEntries(_cutawayPalette, size/3);
 		break;
 	case 3:
 		memcpy(_universalPalette, palette, 96);
@@ -2834,7 +2834,8 @@ void ToonEngine::newGame() {
 		addItemToInventory(67);
 		addItemToInventory(11);
 		addItemToInventory(19);
-		loadScene(_gameState->_currentScene);
+		loadScene(22);
+		//loadScene(_gameState->_currentScene);
 	} else {
 		//loadScene(4);
 		loadScene(_gameState->_currentScene);
author	sylvaintv	2011-04-06 23:07:11 +0200
committer	sylvaintv	2011-04-06 23:07:11 +0200
commit	3dc87c4f3d775a75034779cf162129f914bd5a8c (patch)
tree	e66333a8c27b897c78d86ce16e9001669678a622 /engines
parent	4f09018b00007fc9acc6ac7b7930aa57ae392d02 (diff)
download	scummvm-rg350-3dc87c4f3d775a75034779cf162129f914bd5a8c.tar.gz scummvm-rg350-3dc87c4f3d775a75034779cf162129f914bd5a8c.tar.bz2 scummvm-rg350-3dc87c4f3d775a75034779cf162129f914bd5a8c.zip