From ae4b45952133cdbc76df707b549321a96acf9c89 Mon Sep 17 00:00:00 2001
From: Max Horn
Date: Fri, 2 Jan 2004 03:20:07 +0000
Subject: Fix for bug #869045 (DIG: Crash in bundle decoder); t'was a buffer
 overflow

svn-id: r12079
---
 scumm/bundle.cpp     |  4 ++--
 scumm/imuse_digi.cpp | 16 ++++++++--------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/scumm/bundle.cpp b/scumm/bundle.cpp
index 550ff34ec1..6d674d6abe 100644
--- a/scumm/bundle.cpp
+++ b/scumm/bundle.cpp
@@ -318,8 +318,7 @@ int32 Bundle::decompressVoiceSampleByIndex(int32 index, byte **comp_final) {
 }
 
 int32 Bundle::decompressMusicSampleByIndex(int32 index, int32 number, byte *comp_final) {
-	int32 i = 0;
-	int tag, num, final_size;
+	int final_size;
 	byte *comp_input;
 
 	if (_musicFile.isOpen() == false) {
@@ -328,6 +327,7 @@ int32 Bundle::decompressMusicSampleByIndex(int32 index, int32 number, byte *comp
 	}
 
 	if (_lastSong != index) {
+		int i, tag, num;
 		_musicFile.seek(_bundleMusicTable[index].offset, SEEK_SET);
 		tag = _musicFile.readUint32BE();
 		num = _musicFile.readUint32BE();
diff --git a/scumm/imuse_digi.cpp b/scumm/imuse_digi.cpp
index d73c7bc688..5d7102c0c4 100644
--- a/scumm/imuse_digi.cpp
+++ b/scumm/imuse_digi.cpp
@@ -1294,7 +1294,7 @@ void IMuseDigital::bundleMusicHandler() {
 
 	ptr = _musicBundleBufOutput;
 
-	for (k = 0, l = _currentSampleBundleMusic; l < num; k++) {
+	for (k = 0, l = _currentSampleBundleMusic; l < num && (_offsetSampleBundleMusic < _outputMixerSize + header_size); k++) {
 		length = _bundle->decompressMusicSampleByName(_nameBundleMusic, l, (_musicBundleBufOutput + ((k * 0x2000) + _offsetBufBundleMusic)));
 		_offsetSampleBundleMusic += length;
 
@@ -1338,13 +1338,13 @@ void IMuseDigital::bundleMusicHandler() {
 		l++;
 		_currentSampleBundleMusic = l;
 
-		if (_offsetSampleBundleMusic >= _outputMixerSize + header_size) {
-			memcpy(_musicBundleBufFinal, (_musicBundleBufOutput + header_size), _outputMixerSize);
-			_offsetBufBundleMusic = _offsetSampleBundleMusic - _outputMixerSize - header_size;
-			memcpy(_musicBundleBufOutput, (_musicBundleBufOutput + (_outputMixerSize + header_size)), _offsetBufBundleMusic);
-			_offsetSampleBundleMusic = _offsetBufBundleMusic;
-			break;
-		}
+	}
+
+	if (_offsetSampleBundleMusic >= _outputMixerSize + header_size) {
+		memcpy(_musicBundleBufFinal, (_musicBundleBufOutput + header_size), _outputMixerSize);
+		_offsetBufBundleMusic = _offsetSampleBundleMusic - _outputMixerSize - header_size;
+		memcpy(_musicBundleBufOutput, (_musicBundleBufOutput + (_outputMixerSize + header_size)), _offsetBufBundleMusic);
+		_offsetSampleBundleMusic = _offsetBufBundleMusic;
 	}
 
 	if (_currentSampleBundleMusic == num) {
-- 
cgit v1.2.3