From 55c2a6001c9213b58431b2bcbed5d8de448cf6d9 Mon Sep 17 00:00:00 2001
From: Paul Gilbert
Date: Thu, 12 Apr 2018 19:13:35 -0400
Subject: XEEN: Fix read of freed data in multiple rapid playFX calls

---
 engines/xeen/sound.cpp        | 44 +++++++++++++++++++++----------------------
 engines/xeen/sound_driver.cpp |  5 +----
 2 files changed, 23 insertions(+), 26 deletions(-)

diff --git a/engines/xeen/sound.cpp b/engines/xeen/sound.cpp
index be15028f42..9800af5403 100644
--- a/engines/xeen/sound.cpp
+++ b/engines/xeen/sound.cpp
@@ -121,29 +121,29 @@ void Sound::updateSoundSettings() {
 void Sound::loadEffectsData() {
 	// Stop any prior FX
 	stopFX();
-	delete[] _effectsData;
 
-	// Load in an entire driver so we have quick access to the effects data
-	// that's hardcoded within it
-	File file("blastmus");
-	byte *effectsData = new byte[file.size()];
-	file.seek(0);
-	file.read(effectsData, file.size());
-	file.close();
-	_effectsData = effectsData;
-
-	// Locate the playFX routine
-	const byte *fx = effectsData + READ_LE_UINT16(effectsData + 10) + 12;
-	assert(READ_BE_UINT16(fx + 28) == 0x81FB);
-	uint numEffects = READ_LE_UINT16(fx + 30);
-
-	assert(READ_BE_UINT16(fx + 36) == 0x8B87);
-	const byte *table = effectsData + READ_LE_UINT16(fx + 38);
-
-	// Extract the effects offsets
-	_effectsOffsets.resize(numEffects);
-	for (uint idx = 0; idx < numEffects; ++idx)
-		_effectsOffsets[idx] = READ_LE_UINT16(&table[idx * 2]);
+	if (!_effectsData) {
+		// Load in an entire driver so we have quick access to the effects data that's hardcoded within it
+		File file("blastmus");
+		byte *effectsData = new byte[file.size()];
+		file.seek(0);
+		file.read(effectsData, file.size());
+		file.close();
+		_effectsData = effectsData;
+
+		// Locate the playFX routine
+		const byte *fx = effectsData + READ_LE_UINT16(effectsData + 10) + 12;
+		assert(READ_BE_UINT16(fx + 28) == 0x81FB);
+		uint numEffects = READ_LE_UINT16(fx + 30);
+
+		assert(READ_BE_UINT16(fx + 36) == 0x8B87);
+		const byte *table = effectsData + READ_LE_UINT16(fx + 38);
+
+		// Extract the effects offsets
+		_effectsOffsets.resize(numEffects);
+		for (uint idx = 0; idx < numEffects; ++idx)
+			_effectsOffsets[idx] = READ_LE_UINT16(&table[idx * 2]);
+	}
 }
 
 void Sound::playFX(uint effectId) {
diff --git a/engines/xeen/sound_driver.cpp b/engines/xeen/sound_driver.cpp
index 6ce10d9641..e79fcdd501 100644
--- a/engines/xeen/sound_driver.cpp
+++ b/engines/xeen/sound_driver.cpp
@@ -126,10 +126,7 @@ bool SoundDriver::musSkipWord(const byte *&srcP, byte param) {
 
 bool SoundDriver::cmdFreezeFrequency(const byte *&srcP, byte param) {
 	debugC(3, kDebugSound, "cmdFreezeFrequency %d", param);
-	if (param >= _channels.size())
-		warning("Invalid channel %d in cmdFreezeFrequency call", param);
-	else
-		_channels[param]._changeFrequency = false;
+	_channels[param]._changeFrequency = false;
 	return false;
 }
 
-- 
cgit v1.2.3