From 0b4bbef76283e688c76399dc5bc0193b0b07e7cb Mon Sep 17 00:00:00 2001
From: Travis Howell
Date: Thu, 4 May 2006 06:18:19 +0000
Subject: Don't read beyond imageCount, when looking for image

svn-id: r22330
---
 engines/simon/simon.cpp | 19 ++++++++++++++-----
 engines/simon/vga.cpp   | 16 +++++++++++++---
 2 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/engines/simon/simon.cpp b/engines/simon/simon.cpp
index 4066929a89..37670217e8 100644
--- a/engines/simon/simon.cpp
+++ b/engines/simon/simon.cpp
@@ -1414,7 +1414,7 @@ void SimonEngine::set_video_mode_internal(uint16 mode, uint16 vga_res_id) {
 	uint num, num_lines;
 	VgaPointersEntry *vpe;
 	byte *bb, *b;
-	// uint16 count;
+	uint16 count;
 	const byte *vc_ptr_org;
 
 	_windowNum = mode;
@@ -1454,18 +1454,27 @@ void SimonEngine::set_video_mode_internal(uint16 mode, uint16 vga_res_id) {
 
 	if (getGameType() == GType_FF) {
 		b = bb + READ_LE_UINT16(&((VgaFileHeader_Feeble *) bb)->hdr2_start);
-		//count = READ_LE_UINT16(&((VgaFileHeader2_Feeble *) b)->imageCount);
+		count = READ_LE_UINT16(&((VgaFileHeader2_Feeble *) b)->imageCount);
 		b = bb + READ_LE_UINT16(&((VgaFileHeader2_Feeble *) b)->imageTable);
 
-		while (READ_LE_UINT16(&((ImageHeader_Feeble *) b)->id) != vga_res_id)
+		while (count--) {
+			if (READ_LE_UINT16(&((ImageHeader_Feeble *) b)->id) == vga_res_id)
+				break;
 			b += sizeof(ImageHeader_Feeble);
+		}
+		assert(READ_LE_UINT16(&((ImageHeader_Feeble *) b)->id) == vga_res_id);
+
 	} else {
 		b = bb + READ_BE_UINT16(&((VgaFileHeader_Simon *) bb)->hdr2_start);
-		//count = READ_BE_UINT16(&((VgaFileHeader2_Simon *) b)->imageCount);
+		count = READ_BE_UINT16(&((VgaFileHeader2_Simon *) b)->imageCount);
 		b = bb + READ_BE_UINT16(&((VgaFileHeader2_Simon *) b)->imageTable);
 
-		while (READ_BE_UINT16(&((ImageHeader_Simon *) b)->id) != vga_res_id)
+		while (count--) {
+			if (READ_BE_UINT16(&((ImageHeader_Simon *) b)->id) == vga_res_id)
+				break;
 			b += sizeof(ImageHeader_Simon);
+		}
+		assert(READ_BE_UINT16(&((ImageHeader_Simon *) b)->id) == vga_res_id);
 	}
 
 	if (getGameType() == GType_SIMON1) {
diff --git a/engines/simon/vga.cpp b/engines/simon/vga.cpp
index cf9e7789a6..9e85f7ae48 100644
--- a/engines/simon/vga.cpp
+++ b/engines/simon/vga.cpp
@@ -297,7 +297,7 @@ void SimonEngine::vc1_fadeOut() {
 
 void SimonEngine::vc2_call() {
 	VgaPointersEntry *vpe;
-	uint16 num, res;
+	uint16 count, num, res;
 	byte *old_file_1, *old_file_2;
 	byte *b, *bb;
 	const byte *vc_ptr_org;
@@ -326,16 +326,26 @@ void SimonEngine::vc2_call() {
 	bb = _curVgaFile1;
 	if (getGameType() == GType_FF) {
 		b = bb + READ_LE_UINT16(&((VgaFileHeader_Feeble *) bb)->hdr2_start);
+		count = READ_LE_UINT16(&((VgaFileHeader2_Feeble *) b)->imageCount);
 		b = bb + READ_LE_UINT16(&((VgaFileHeader2_Feeble *) b)->imageTable);
 
-		while (READ_LE_UINT16(&((ImageHeader_Feeble *) b)->id) != num)
+		while (count--) {
+			if (READ_LE_UINT16(&((ImageHeader_Feeble *) b)->id) == num)
+				break;
 			b += sizeof(ImageHeader_Feeble);
+		}
+		assert(READ_LE_UINT16(&((ImageHeader_Feeble *) b)->id) == num);
 	} else {
 		b = bb + READ_BE_UINT16(&((VgaFileHeader_Simon *) bb)->hdr2_start);
+		count = READ_BE_UINT16(&((VgaFileHeader2_Simon *) b)->imageCount);
 		b = bb + READ_BE_UINT16(&((VgaFileHeader2_Simon *) b)->imageTable);
 
-		while (READ_BE_UINT16(&((ImageHeader_Simon *) b)->id) != num)
+		while (count--) {
+			if (READ_BE_UINT16(&((ImageHeader_Simon *) b)->id) == num)
+				break;
 			b += sizeof(ImageHeader_Simon);
+		}
+		assert(READ_BE_UINT16(&((ImageHeader_Simon *) b)->id) == num);
 	}
 
 	vc_ptr_org = _vcPtr;
-- 
cgit v1.2.3