diff options
| author | Max Horn | 2004-01-02 03:20:07 +0000 |
|---|---|---|
| committer | Max Horn | 2004-01-02 03:20:07 +0000 |
| commit | ae4b45952133cdbc76df707b549321a96acf9c89 (patch) | |
| tree | 3c528bceff4cb4373e78ded6816d3dab41b00a7b /scumm | |
| parent | 315dc0238ce60f1c5216ecd3622bd10d093a8656 (diff) | |
| download | scummvm-rg350-ae4b45952133cdbc76df707b549321a96acf9c89.tar.gz scummvm-rg350-ae4b45952133cdbc76df707b549321a96acf9c89.tar.bz2 scummvm-rg350-ae4b45952133cdbc76df707b549321a96acf9c89.zip | |
Fix for bug #869045 (DIG: Crash in bundle decoder); t'was a buffer overflow
svn-id: r12079
Diffstat (limited to 'scumm')
| -rw-r--r-- | scumm/bundle.cpp | 4 | ||||
| -rw-r--r-- | scumm/imuse_digi.cpp | 16 |
2 files changed, 10 insertions, 10 deletions
diff --git a/scumm/bundle.cpp b/scumm/bundle.cpp index 550ff34ec1..6d674d6abe 100644 --- a/scumm/bundle.cpp +++ b/scumm/bundle.cpp @@ -318,8 +318,7 @@ int32 Bundle::decompressVoiceSampleByIndex(int32 index, byte **comp_final) { } int32 Bundle::decompressMusicSampleByIndex(int32 index, int32 number, byte *comp_final) { - int32 i = 0; - int tag, num, final_size; + int final_size; byte *comp_input; if (_musicFile.isOpen() == false) { @@ -328,6 +327,7 @@ int32 Bundle::decompressMusicSampleByIndex(int32 index, int32 number, byte *comp } if (_lastSong != index) { + int i, tag, num; _musicFile.seek(_bundleMusicTable[index].offset, SEEK_SET); tag = _musicFile.readUint32BE(); num = _musicFile.readUint32BE(); diff --git a/scumm/imuse_digi.cpp b/scumm/imuse_digi.cpp index d73c7bc688..5d7102c0c4 100644 --- a/scumm/imuse_digi.cpp +++ b/scumm/imuse_digi.cpp @@ -1294,7 +1294,7 @@ void IMuseDigital::bundleMusicHandler() { ptr = _musicBundleBufOutput; - for (k = 0, l = _currentSampleBundleMusic; l < num; k++) { + for (k = 0, l = _currentSampleBundleMusic; l < num && (_offsetSampleBundleMusic < _outputMixerSize + header_size); k++) { length = _bundle->decompressMusicSampleByName(_nameBundleMusic, l, (_musicBundleBufOutput + ((k * 0x2000) + _offsetBufBundleMusic))); _offsetSampleBundleMusic += length; @@ -1338,13 +1338,13 @@ void IMuseDigital::bundleMusicHandler() { l++; _currentSampleBundleMusic = l; - if (_offsetSampleBundleMusic >= _outputMixerSize + header_size) { - memcpy(_musicBundleBufFinal, (_musicBundleBufOutput + header_size), _outputMixerSize); - _offsetBufBundleMusic = _offsetSampleBundleMusic - _outputMixerSize - header_size; - memcpy(_musicBundleBufOutput, (_musicBundleBufOutput + (_outputMixerSize + header_size)), _offsetBufBundleMusic); - _offsetSampleBundleMusic = _offsetBufBundleMusic; - break; - } + } + + if (_offsetSampleBundleMusic >= _outputMixerSize + header_size) { + memcpy(_musicBundleBufFinal, (_musicBundleBufOutput + header_size), _outputMixerSize); + _offsetBufBundleMusic = _offsetSampleBundleMusic - _outputMixerSize - header_size; + memcpy(_musicBundleBufOutput, (_musicBundleBufOutput + (_outputMixerSize + header_size)), _offsetBufBundleMusic); + _offsetSampleBundleMusic = _offsetBufBundleMusic; } if (_currentSampleBundleMusic == num) { |