From a2e9bc706c3792a5430fefe3cb040dd5ccc39b88 Mon Sep 17 00:00:00 2001 From: Sven Hesse Date: Sun, 17 Dec 2006 21:20:51 +0000 Subject: Added a range check in Draw_v2::printText(), fixing invalid reads. It *shouldn't* pose any problem s svn-id: r24866 --- engines/gob/draw_v2.cpp | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/engines/gob/draw_v2.cpp b/engines/gob/draw_v2.cpp index 084e0cedb9..fcdb96646a 100644 --- a/engines/gob/draw_v2.cpp +++ b/engines/gob/draw_v2.cpp @@ -118,6 +118,7 @@ void Draw_v2::printText(void) { int16 strPosBak; int16 maskChar; int16 width; + int16 size; index = _vm->_inter->load16(); @@ -126,6 +127,7 @@ void Draw_v2::printText(void) { if ((_vm->_game->_totTextData == 0) || (_vm->_game->_totTextData->dataPtr == 0)) return; + size = _vm->_game->_totTextData->items[index].size; dataPtr = _vm->_game->_totTextData->dataPtr + _vm->_game->_totTextData->items[index].offset; ptr = dataPtr; @@ -158,7 +160,7 @@ void Draw_v2::printText(void) { ptr += 8; - _backColor = *ptr++; + _backColor = (byte) *ptr++; _transparency = 1; spriteOperation(DRAW_CLEARRECT); @@ -189,7 +191,9 @@ void Draw_v2::printText(void) { } ptr += 2; - for (ptr2 = ptr; *ptr2 != 1; ptr2++) { + // Adding the boundary check *shouldn't* pose any problems, since access behind + // that point should be forbidden anyway. + for (i = 0, ptr2 = ptr; ((ptr2 - dataPtr) < size) && (*ptr2 != 1); ptr2++, i++) { if ((_vm->_game->_totFileData[0x29] < 0x32) && (*ptr2 > 3) && (*ptr2 < 32)) *ptr2 = 32; @@ -226,7 +230,7 @@ void Draw_v2::printText(void) { break; case 10: - ptr2 += (ptr2[1] * 2) + 2; + ptr2 += (((byte) ptr2[1]) * 2) + 2; break; default: @@ -337,7 +341,7 @@ void Draw_v2::printText(void) { case 4: ptr++; - frontColor = *ptr++; + frontColor = (byte) *ptr++; break; case 6: -- cgit v1.2.3