From 50cfb7ad46ff65ab038f4694bafb4d817ef8529e Mon Sep 17 00:00:00 2001
From: Colin Snover
Date: Fri, 22 Sep 2017 13:20:49 -0500
Subject: SCI32: Fix size for dereferencing non-raw SCI32 arrays

The maxSize given when generating a SegmentRef is supposed to be
the maximum size of raw data that can be held inside the offset-
part of a reg_t, not the entire size including the segment.

This fixes a buffer overflow in "Inside the Chest", which still
does not work, but at least doesn't cause heap overflows anymore
with this change.
---
 engines/sci/engine/segment.h | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/engines/sci/engine/segment.h b/engines/sci/engine/segment.h
index 8eca6713b3..ddb34582ab 100644
--- a/engines/sci/engine/segment.h
+++ b/engines/sci/engine/segment.h
@@ -505,10 +505,14 @@ public:
 	}
 
 	/**
-	 * Returns the size of the array, in bytes.
+	 * Returns the maximum number of bytes that can be stored in the array.
 	 */
 	uint16 byteSize() const {
-		return _size * _elementSize;
+		uint16 size = _size;
+		if (_type == kArrayTypeID || _type == kArrayTypeInt16) {
+			size *= sizeof(uint16);
+		}
+		return size;
 	}
 
 	/**
@@ -892,7 +896,7 @@ public:
 			break;
 		}
 
-		return Common::String::format("type %s; %u entries; %u bytes", type, size(), byteSize());
+		return Common::String::format("type %s; %u entries", type, size());
 	}
 
 protected:
-- 
cgit v1.2.3