From 22398e571bf8b4cfb04fcd00ffcef81eeb998d66 Mon Sep 17 00:00:00 2001
From: Colin Snover
Date: Sat, 10 Dec 2016 19:18:34 -0600
Subject: SCI: Fix buffer overflows in GfxPicture circle drawing

Fixes Trac#9660.
---
 engines/sci/graphics/picture.cpp | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/engines/sci/graphics/picture.cpp b/engines/sci/graphics/picture.cpp
index 75a885da57..864327feaa 100644
--- a/engines/sci/graphics/picture.cpp
+++ b/engines/sci/graphics/picture.cpp
@@ -1212,6 +1212,7 @@ void GfxPicture::vectorPatternTexturedBox(Common::Rect box, byte color, byte pri
 
 void GfxPicture::vectorPatternCircle(Common::Rect box, byte size, byte color, byte prio, byte control) {
 	byte flag = _screen->getDrawingMask(color, prio, control);
+	assert(size < ARRAYSIZE(vectorPatternCircles));
 	const byte *circleData = vectorPatternCircles[size];
 	byte bitmap = *circleData;
 	byte bitNo = 0;
@@ -1219,21 +1220,23 @@ void GfxPicture::vectorPatternCircle(Common::Rect box, byte size, byte color, by
 
 	for (y = box.top; y < box.bottom; y++) {
 		for (x = box.left; x < box.right; x++) {
+			if (bitNo == 8) {
+				circleData++;
+				bitmap = *circleData;
+				bitNo = 0;
+			}
 			if (bitmap & 1) {
 				_screen->vectorPutPixel(x, y, flag, color, prio, control);
 			}
 			bitNo++;
-			if (bitNo == 8) {
-				circleData++; bitmap = *circleData; bitNo = 0;
-			} else {
-				bitmap = bitmap >> 1;
-			}
+			bitmap >>= 1;
 		}
 	}
 }
 
 void GfxPicture::vectorPatternTexturedCircle(Common::Rect box, byte size, byte color, byte prio, byte control, byte texture) {
 	byte flag = _screen->getDrawingMask(color, prio, control);
+	assert(size < ARRAYSIZE(vectorPatternCircles));
 	const byte *circleData = vectorPatternCircles[size];
 	byte bitmap = *circleData;
 	byte bitNo = 0;
@@ -1242,6 +1245,11 @@ void GfxPicture::vectorPatternTexturedCircle(Common::Rect box, byte size, byte c
 
 	for (y = box.top; y < box.bottom; y++) {
 		for (x = box.left; x < box.right; x++) {
+			if (bitNo == 8) {
+				circleData++;
+				bitmap = *circleData;
+				bitNo = 0;
+			}
 			if (bitmap & 1) {
 				if (*textureData) {
 					_screen->vectorPutPixel(x, y, flag, color, prio, control);
@@ -1249,11 +1257,7 @@ void GfxPicture::vectorPatternTexturedCircle(Common::Rect box, byte size, byte c
 				textureData++;
 			}
 			bitNo++;
-			if (bitNo == 8) {
-				circleData++; bitmap = *circleData; bitNo = 0;
-			} else {
-				bitmap = bitmap >> 1;
-			}
+			bitmap >>= 1;
 		}
 	}
 }
-- 
cgit v1.2.3