diff options
| author | Colin Snover | 2017-04-09 11:57:48 -0500 |
|---|---|---|
| committer | Colin Snover | 2017-04-23 13:07:25 -0500 |
| commit | 88f020c7d47b4e35a09e9cc1f2a5209acecb3a7e (patch) | |
| tree | 59269116f05bb50a9b0d661bf2335c133a0d8b54 /engines | |
| parent | 4d9b019b18e66f58a7cd88348dfbcd6bf6d93c79 (diff) | |
| download | scummvm-rg350-88f020c7d47b4e35a09e9cc1f2a5209acecb3a7e.tar.gz scummvm-rg350-88f020c7d47b4e35a09e9cc1f2a5209acecb3a7e.tar.bz2 scummvm-rg350-88f020c7d47b4e35a09e9cc1f2a5209acecb3a7e.zip | |
SCI32: Fix out-of-bounds reads of truncated uncompressed cels
This happens e.g. on the About page in LSL7 because of an
interpreter problem where bitmap handles are destroyed and then
reused without a kFrameOut call to remove old screen items from
the visible plane list before a kIsOnMe call that causes the
engine to try to read from reused bitmap handles with different
contents and dimensions.
This replaces bad memory reads on the About page in LSL7 with an
assertion failure, until the problem with the About page can be
properly addressed.
Diffstat (limited to 'engines')
| -rw-r--r-- | engines/sci/graphics/celobj32.cpp | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/engines/sci/graphics/celobj32.cpp b/engines/sci/graphics/celobj32.cpp index 75f6280460..df55ec9567 100644 --- a/engines/sci/graphics/celobj32.cpp +++ b/engines/sci/graphics/celobj32.cpp @@ -263,7 +263,7 @@ int16 SCALER_Scale<FLIP, READER>::_valuesY[kCelScalerTableSize]; struct READER_Uncompressed { private: #ifndef NDEBUG - const int16 _sourceHeight; + int16 _sourceHeight; #endif const byte *_pixels; const int16 _sourceWidth; @@ -280,6 +280,9 @@ public: if (numPixels < celObj._width * celObj._height) { warning("%s is truncated", celObj._info.toString().c_str()); +#ifndef NDEBUG + _sourceHeight = numPixels / celObj._width; +#endif } _pixels = resource.getUnsafeDataAt(pixelsOffset, numPixels); |