BLADERUNNER: prevent seg fault in ESPER

Also added CLIP to all getBasePtr() calls where it would seem appropriate/safer to do so

7 files changed, 37 insertions, 9 deletions

diff --git a/engines/bladerunner/bladerunner.cpp b/engines/bladerunner/bladerunner.cpp
index e4049830d7..93ffbe0e5e 100644
--- a/engines/bladerunner/bladerunner.cpp
+++ b/engines/bladerunner/bladerunner.cpp
@@ -2232,8 +2232,8 @@ Graphics::Surface BladeRunnerEngine::generateThumbnail() const {
 		for (int x = 0; x < thumbnail.w; ++x) {
 			uint8 r, g, b;
 
-			uint16  srcPixel = *(const uint16 *)_surfaceFront.getBasePtr(x * 8, y * 8);
-			uint16 *dstPixel = (uint16 *)thumbnail.getBasePtr(x, y);
+			uint16  srcPixel = *(const uint16 *)_surfaceFront.getBasePtr(CLIP(x * 8, 0, _surfaceFront.w - 1), CLIP(y * 8, 0, _surfaceFront.h - 1) );
+			uint16 *dstPixel = (uint16 *)thumbnail.getBasePtr(CLIP(x, 0, thumbnail.w - 1), CLIP(y, 0, thumbnail.h - 1));
 
 			// Throw away alpha channel as it is not needed
 			_surfaceFront.format.colorToRGB(srcPixel, r, g, b);
diff --git a/engines/bladerunner/dialogue_menu.cpp b/engines/bladerunner/dialogue_menu.cpp
index 352303cbfb..2a9dcd884c 100644
--- a/engines/bladerunner/dialogue_menu.cpp
+++ b/engines/bladerunner/dialogue_menu.cpp
@@ -552,7 +552,7 @@ void DialogueMenu::darkenRect(Graphics::Surface &s, int x1, int y1, int x2, int
 	if (x1 < x2 && y1 < y2) {
 		for (int y = y1; y != y2; ++y) {
 			for (int x = x1; x != x2; ++x) {
-				uint16 *p = (uint16 *)s.getBasePtr(x, y);
+				uint16 *p = (uint16 *)s.getBasePtr(CLIP(x, 0, s.w - 1), CLIP(y, 0, s.h - 1));
 				uint8 r, g, b;
 				s.format.colorToRGB(*p, r, g, b);
 				r /= 4;
diff --git a/engines/bladerunner/font.cpp b/engines/bladerunner/font.cpp
index 2512f8671c..68e0408585 100644
--- a/engines/bladerunner/font.cpp
+++ b/engines/bladerunner/font.cpp
@@ -118,7 +118,7 @@ void Font::drawChar(Graphics::Surface *dst, uint32 chr, int x, int y, uint32 col
 		return;
 	}
 
-	uint16 *dstPtr = (uint16 *)dst->getBasePtr(x + _characters[characterIndex].x, y + _characters[characterIndex].y);
+	uint16 *dstPtr = (uint16 *)dst->getBasePtr(CLIP(x + _characters[characterIndex].x, 0, dst->w - 1), CLIP(y + _characters[characterIndex].y, 0, dst->h - 1));
 	uint16 *srcPtr = &_data[_characters[characterIndex].dataOffset];
 	int width = _characters[characterIndex].width;
 	int height = _characters[characterIndex].height;
diff --git a/engines/bladerunner/shape.cpp b/engines/bladerunner/shape.cpp
index 2d01d1336a..de7a572fa6 100644
--- a/engines/bladerunner/shape.cpp
+++ b/engines/bladerunner/shape.cpp
@@ -116,7 +116,7 @@ void Shape::draw(Graphics::Surface &surface, int x, int y) const {
 			uint16 outColor = (uint16)surface.format.RGBToColor(r, g, b);
 
 			if (!a) {
-				*(uint16 *)(surface.getBasePtr(dst_x + xi, dst_y + yi)) = outColor;
+				*(uint16 *)(surface.getBasePtr(CLIP(dst_x + xi, 0, surface.w - 1), CLIP(dst_y + yi, 0, surface.h - 1))) = outColor;
 			}
 		}
 		src_p += 2 * (_width - rect_w);
diff --git a/engines/bladerunner/slice_renderer.cpp b/engines/bladerunner/slice_renderer.cpp
index 4c340537d2..f797d13b1a 100644
--- a/engines/bladerunner/slice_renderer.cpp
+++ b/engines/bladerunner/slice_renderer.cpp
@@ -468,6 +468,7 @@ void SliceRenderer::drawInWorld(int animationId, int animationFrame, Vector3 pos
 		_setEffectColor.b = setEffectColor.b * 31.0f * 65536.0f;
 
 		if (frameY >= 0 && frameY < surface.h) {
+			// No need to CLIP frameY here in getBasePtr(), since it is within [0, surface.h - 1]
 			drawSlice((int)sliceLine, true, (uint16 *)surface.getBasePtr(0, frameY), zBufferLinePtr, frameY);
 		}
 
@@ -530,6 +531,7 @@ void SliceRenderer::drawOnScreen(int animationId, int animationFrame, int screen
 	while (currentSlice < _frameSliceCount) {
 		if (currentY >= 0 && currentY < surface.h) {
 			memset(lineZbuffer, 0xFF, 640 * 2);
+			// No need to CLIP currentY here in getBasePtr(), since it is within [0, surface.h - 1]
 			drawSlice(currentSlice, false, (uint16 *)surface.getBasePtr(0, currentY), lineZbuffer, currentY);
 			currentSlice += sliceStep;
 			currentY--;
@@ -721,7 +723,7 @@ void SliceRenderer::drawShadowPolygon(int transparency, Graphics::Surface &surfa
 
 		for (int x = MIN(xMin, xMax); x < MAX(xMin, xMax); ++x) {
 			uint16 z = zbuffer[x + y * 640];
-			uint16 *pixel = (uint16*)surface.getBasePtr(x, y);
+			uint16 *pixel = (uint16*)surface.getBasePtr(CLIP(x, 0, surface.w - 1), CLIP(y, 0, surface.h - 1));
 
 			if (z >= zMin) {
 				int index = (x & 3) + ((y & 3) << 2);
diff --git a/engines/bladerunner/ui/esper.cpp b/engines/bladerunner/ui/esper.cpp
index 3a4e8c9fc4..753b2f9532 100644
--- a/engines/bladerunner/ui/esper.cpp
+++ b/engines/bladerunner/ui/esper.cpp
@@ -1164,6 +1164,12 @@ void ESPER::copyImageScale(Graphics::Surface *src, Common::Rect srcRect, Graphic
 			int srcX = srcRect.left;
 			int srcXCounter = 0;
 			for (int dstX = dstRect.left; dstX < dstRect.right; ++dstX) {
+				srcX = CLIP(srcX, 0, src->w - 1);
+				srcY = CLIP(srcY, 0, src->h - 1);
+
+				dstX = CLIP(dstX, 0, dst->w - 1);
+				dstY = CLIP(dstY, 0, dst->h - 1);
+
 				uint16 *srcPtr = (uint16 *)src->getBasePtr(srcX, srcY);
 				uint16 *dstPtr = (uint16 *)dst->getBasePtr(dstX, dstY);
 
@@ -1203,6 +1209,13 @@ void ESPER::copyImageScale(Graphics::Surface *src, Common::Rect srcRect, Graphic
 					srcXCounter -= dstRect.width();
 					++srcX;
 				}
+
+				srcX = CLIP(srcX, 0, src->w - 1);
+				srcY = CLIP(srcY, 0, src->h - 1);
+
+				dstX = CLIP(dstX, 0, dst->w - 1);
+				dstY = CLIP(dstY, 0, dst->h - 1);
+
 				uint16 *srcPtr = (uint16 *)src->getBasePtr(srcX, srcY);
 				uint16 *dstPtr = (uint16 *)dst->getBasePtr(dstX, dstY);
 
@@ -1264,6 +1277,13 @@ void ESPER::copyImageBlur(Graphics::Surface *src, Common::Rect srcRect, Graphics
 					}
 					int skipX = 0;
 					while (dstX < dstRect.right && skipX < skipXMax) {
+
+						srcX = CLIP(srcX, 0, src->w - 1);
+						srcY = CLIP(srcY, 0, src->h - 1);
+
+						dstX = CLIP(dstX, 0, dst->w - 1);
+						dstY = CLIP(dstY, 0, dst->h - 1);
+
 						uint16 *srcPtr = (uint16 *)src->getBasePtr(srcX, srcY);
 						uint16 *dstPtr = (uint16 *)dst->getBasePtr(dstX, dstY);
 
@@ -1331,6 +1351,12 @@ void ESPER::copyImageBlur(Graphics::Surface *src, Common::Rect srcRect, Graphics
 							srcX += 1; // bug in original game? Is using 1 instead of skipX as for Y
 						}
 
+						srcX = CLIP(srcX, 0, src->w - 1);
+						srcY = CLIP(srcY, 0, src->h - 1);
+
+						dstX = CLIP(dstX, 0, dst->w - 1);
+						dstY = CLIP(dstY, 0, dst->h - 1);
+
 						uint16 *srcPtr = (uint16 *)src->getBasePtr(srcX, srcY);
 						uint16 *dstPtr = (uint16 *)dst->getBasePtr(dstX, dstY);
 
@@ -1364,8 +1390,8 @@ void ESPER::copyImageBlur(Graphics::Surface *src, Common::Rect srcRect, Graphics
 void ESPER::copyImageBlit(Graphics::Surface *src, Common::Rect srcRect, Graphics::Surface *dst, Common::Rect dstRect) {
 	for (int y = 0; y < dstRect.height(); ++y) {
 		for (int x = 0; x < dstRect.width(); ++x) {
-			uint16 *srcPtr = (uint16 *)src->getBasePtr(srcRect.left + x, srcRect.top + y);
-			uint16 *dstPtr = (uint16 *)dst->getBasePtr(dstRect.left + x, dstRect.top + y);
+			uint16 *srcPtr = (uint16 *)src->getBasePtr(CLIP(srcRect.left + x, 0, src->w - 1), CLIP(srcRect.top + y, 0, src->h - 1));
+			uint16 *dstPtr = (uint16 *)dst->getBasePtr(CLIP(dstRect.left + x, 0, dst->w - 1), CLIP(dstRect.top + y, 0, dst->h - 1));
 			*dstPtr = *srcPtr;
 		}
 	}
diff --git a/engines/bladerunner/vqa_decoder.cpp b/engines/bladerunner/vqa_decoder.cpp
index 68737858ca..cb7028f764 100644
--- a/engines/bladerunner/vqa_decoder.cpp
+++ b/engines/bladerunner/vqa_decoder.cpp
@@ -839,7 +839,7 @@ void VQADecoder::VQAVideoTrack::VPTRWriteBlock(Graphics::Surface *surface, unsig
 				uint16 outColor = (uint16)surface->format.RGBToColor(r, g, b);
 
 				if (!(alpha && a)) {
-					*(uint16 *)(surface->getBasePtr(dst_x + x, dst_y + y)) = outColor;
+					*(uint16 *)(surface->getBasePtr(CLIP(dst_x + x, (uint32)0, (uint32)(surface->w - 1)), CLIP(dst_y + y, (uint32)0, (uint32)(surface->h - 1)))) = outColor;
 				}
 			}
 		}