From 59b6f0f715fb9874858feb40a22b844e42a3ce79 Mon Sep 17 00:00:00 2001
From: Torbjörn Andersson
Date: Tue, 14 Mar 2006 20:09:32 +0000
Subject: Fixed a potential bug that could cause memory to be read
 out-of-bounds. (Unfortunately, this does not fix the Kyra bug I'm looking
 for.)

In the most extreme case:

* DR and RR will point to &DR_TABLE[60], and AR will point to &AR_TABLE[60]
* SLOT->KSR will be 0
* CH->kcode will be 15

In that case, it will attempt to access AR[15], RR[15] and DR[15], i.e.
AR_TABLE[75] and DR_TABLE[75]. So these arrays need to be 76 elements, not 75.

We used to initialise element 75, but this was changed to 74 to match the size
of the arrays. Buf if my reasoning is correct, it was the arrays that were too
small.

svn-id: r21301
---
 sound/fmopl.cpp | 2 +-
 sound/fmopl.h   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/sound/fmopl.cpp b/sound/fmopl.cpp
index faea609d21..e8f65833c9 100644
--- a/sound/fmopl.cpp
+++ b/sound/fmopl.cpp
@@ -587,7 +587,7 @@ static void init_timetables(FM_OPL *OPL, int ARRATE, int DRRATE) {
 		OPL->AR_TABLE[i] = (int)(rate / ARRATE);
 		OPL->DR_TABLE[i] = (int)(rate / DRRATE);
 	}
-	for (i = 60; i < 75; i++) {
+	for (i = 60; i < 76; i++) {
 		OPL->AR_TABLE[i] = EG_AED-1;
 		OPL->DR_TABLE[i] = OPL->DR_TABLE[60];
 	}
diff --git a/sound/fmopl.h b/sound/fmopl.h
index 1f1412ad74..5ce447e2b2 100644
--- a/sound/fmopl.h
+++ b/sound/fmopl.h
@@ -119,8 +119,8 @@ typedef struct fm_opl_f {
 	uint8 rythm;		/* Rythm mode , key flag */
 
 	/* time tables */
-	int AR_TABLE[75];	/* atttack rate tables				*/
-	int DR_TABLE[75];	/* decay rate tables				*/
+	int AR_TABLE[76];	/* atttack rate tables				*/
+	int DR_TABLE[76];	/* decay rate tables				*/
 	uint FN_TABLE[1024];/* fnumber -> increment counter		*/
 
 	/* LFO */
-- 
cgit v1.2.3