From 689099f9b5d93e901f4adcc24c63f7a377a33fdb Mon Sep 17 00:00:00 2001
From: Alyssa Milburn
Date: Sat, 2 Jul 2011 00:03:49 +0200
Subject: MOHAWK: Fix/add bounds checking in LBCode::nextToken.

---
 engines/mohawk/livingbooks_code.cpp | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/engines/mohawk/livingbooks_code.cpp b/engines/mohawk/livingbooks_code.cpp
index e72318d86a..96345ad845 100644
--- a/engines/mohawk/livingbooks_code.cpp
+++ b/engines/mohawk/livingbooks_code.cpp
@@ -172,12 +172,8 @@ LBValue LBCode::runCode(LBItem *src, uint32 offset) {
 }
 
 void LBCode::nextToken() {
-	if (_currOffset + 1 >= _size) {
-		// TODO
-		warning("went off the end of code");
-		_currToken = kTokenEndOfFile;
-		_currValue = LBValue();
-		return;
+	if (_currOffset >= _size) {
+		error("went off the end of code");
 	}
 
 	_currToken = _data[_currOffset++];
@@ -186,6 +182,8 @@ void LBCode::nextToken() {
 	switch (_currToken) {
 	case kTokenIdentifier:
 		{
+		if (_currOffset + 2 > _size)
+			error("went off the end of code reading identifier");
 		uint16 offset = READ_BE_UINT16(_data + _currOffset);
 		// TODO: check string exists
 		_currValue = _strings[offset];
@@ -195,9 +193,13 @@ void LBCode::nextToken() {
 
 	case kTokenLiteral:
 		{
+		if (_currOffset + 1 > _size)
+			error("went off the end of code reading literal");
 		byte literalType = _data[_currOffset++];
 		switch (literalType) {
 		case kLBCodeLiteralInteger:
+			if (_currOffset + 2 > _size)
+				error("went off the end of code reading literal integer");
 			_currValue = READ_BE_UINT16(_data + _currOffset);
 			_currOffset += 2;
 			break;
@@ -211,6 +213,8 @@ void LBCode::nextToken() {
 	case kTokenConstEventId:
 	case 0x5e: // TODO: ??
 	case kTokenKeycode:
+		if (_currOffset + 2 > _size)
+			error("went off the end of code reading immediate");
 		_currValue = READ_BE_UINT16(_data + _currOffset);
 		_currOffset += 2;
 		break;
@@ -227,6 +231,8 @@ void LBCode::nextToken() {
 
 	case kTokenString:
 		{
+		if (_currOffset + 2 > _size)
+			error("went off the end of code reading string");
 		uint16 offset = READ_BE_UINT16(_data + _currOffset);
 		// TODO: check string exists
 		_currValue = _strings[offset];
-- 
cgit v1.2.3