SCI32: Fix bad relocations of SCI3 objects

2 files changed, 3 insertions, 3 deletions

diff --git a/engines/sci/engine/object.cpp b/engines/sci/engine/object.cpp
index 47d551980e..b507e36a77 100644
--- a/engines/sci/engine/object.cpp
+++ b/engines/sci/engine/object.cpp
@@ -140,6 +140,7 @@ bool Object::relocateSci0Sci21(SegmentId segment, int location, size_t scriptSiz
 
 bool Object::relocateSci3(SegmentId segment, uint32 location, int offset, size_t scriptSize) {
 	assert(_propertyOffsetsSci3.size());
+	assert(offset >= 0 && (uint)offset < scriptSize);
 
 	for (uint i = 0; i < _variables.size(); ++i) {
 		if (location == _propertyOffsetsSci3[i]) {
diff --git a/engines/sci/engine/script.cpp b/engines/sci/engine/script.cpp
index 1672f69975..f24437346b 100644
--- a/engines/sci/engine/script.cpp
+++ b/engines/sci/engine/script.cpp
@@ -764,13 +764,12 @@ void Script::relocateSci0Sci21(reg_t block) {
 
 void Script::relocateSci3(reg_t block) {
 	SciSpan<const byte> relocStart = _buf->subspan(_buf->getUint32SEAt(8));
-	//int count = _bufSize - READ_SCI11ENDIAN_UINT32(_buf + 8);
+	const uint relocCount = _buf->getUint16SEAt(18);
 
 	ObjMap::iterator it;
 	for (it = _objects.begin(); it != _objects.end(); ++it) {
 		SciSpan<const byte> seeker = relocStart;
-		while (seeker.size()) {
-			// TODO: Find out what UINT16 at (seeker + 8) means
+		for (uint i = 0; i < relocCount; ++i) {
 			it->_value.relocateSci3(block.getSegment(),
 						seeker.getUint32SEAt(0),
 						seeker.getUint32SEAt(4),