From e0a04a3185d92b0979babdf23a3eaf49c5d815a8 Mon Sep 17 00:00:00 2001 From: Thomas Fach-Pedersen Date: Mon, 24 Oct 2016 19:24:32 +0200 Subject: BLADERUNNER: Fix out-of-bounds access in voiceover actor (multiple CIDs) CID 1364219 CID 1364223 --- engines/bladerunner/actor.cpp | 4 ++-- engines/bladerunner/adq.cpp | 2 +- engines/bladerunner/bladerunner.cpp | 4 ++-- engines/bladerunner/bladerunner.h | 6 ++++-- engines/bladerunner/script/script.cpp | 10 ++++++---- 5 files changed, 15 insertions(+), 11 deletions(-) diff --git a/engines/bladerunner/actor.cpp b/engines/bladerunner/actor.cpp index c778a6dee0..9a8892cf6c 100644 --- a/engines/bladerunner/actor.cpp +++ b/engines/bladerunner/actor.cpp @@ -868,7 +868,7 @@ void Actor::speechPlay(int sentenceId, bool voiceOver) { sprintf(name, "%02d-%04d.AUD", _id, sentenceId); //TODO somewhere here should be also language code int balance; - if (voiceOver || _id == 99) { + if (voiceOver || _id == VOICEOVER_ACTOR) { balance = 0; } else { // Vector3 pos = _vm->_view->_frameViewMatrix * _position; @@ -910,7 +910,7 @@ void Actor::copyClues(int actorId) { for (int i = 0; i < (int)_vm->_gameInfo->getClueCount(); i++) { if (hasClue(i) && !_clues->isFlag4(i) && !otherActor->hasClue(i)) { int fromActorId = _id; - if (_id == 99) + if (_id == VOICEOVER_ACTOR) fromActorId = _clues->getFromActorId(i); otherActor->acquireClue(i, 0, fromActorId); } diff --git a/engines/bladerunner/adq.cpp b/engines/bladerunner/adq.cpp index ca72497b99..d2d3dec6ce 100644 --- a/engines/bladerunner/adq.cpp +++ b/engines/bladerunner/adq.cpp @@ -50,7 +50,7 @@ ADQ::~ADQ() { } void ADQ::add(int actorId, int sentenceId, int animationMode) { - if (actorId == 0 || actorId == 99) { + if (actorId == 0 || actorId == VOICEOVER_ACTOR) { animationMode = -1; } if (_entries.size() < 25) { diff --git a/engines/bladerunner/bladerunner.cpp b/engines/bladerunner/bladerunner.cpp index 6fe66d02bc..33110c07de 100644 --- a/engines/bladerunner/bladerunner.cpp +++ b/engines/bladerunner/bladerunner.cpp @@ -236,12 +236,12 @@ bool BladeRunnerEngine::startup(bool hasSavegames) { _zBuffer2 = new uint16[640 * 480]; int actorCount = (int)_gameInfo->getActorCount(); - assert(actorCount < 99); + assert(actorCount < ACTORS_COUNT); for (int i = 0; i != actorCount; ++i) { _actors[i] = new Actor(this, i); _actors[i]->setup(i); } - _voiceoverActor = new Actor(this, 99); + _actors[VOICEOVER_ACTOR] = new Actor(this, VOICEOVER_ACTOR); _playerActor = _actors[_gameInfo->getPlayerId()]; _playerActor->setFPS(15); diff --git a/engines/bladerunner/bladerunner.h b/engines/bladerunner/bladerunner.h index bbef17820d..b0eb4591cd 100644 --- a/engines/bladerunner/bladerunner.h +++ b/engines/bladerunner/bladerunner.h @@ -64,6 +64,9 @@ class TextResource; class View; class Waypoints; +#define ACTORS_COUNT 100 +#define VOICEOVER_ACTOR (ACTORS_COUNT - 1) + class BladeRunnerEngine : public Engine { public: bool _gameIsRunning; @@ -107,8 +110,7 @@ public: Common::Array _shapes; - Actor *_actors[99]; - Actor *_voiceoverActor; + Actor *_actors[ACTORS_COUNT]; Actor *_playerActor; int in_script_counter; diff --git a/engines/bladerunner/script/script.cpp b/engines/bladerunner/script/script.cpp index 060f8778d4..b0bb638440 100644 --- a/engines/bladerunner/script/script.cpp +++ b/engines/bladerunner/script/script.cpp @@ -432,11 +432,13 @@ void ScriptBase::Actor_Voice_Over(int sentenceId, int actorId) { #endif void ScriptBase::Actor_Voice_Over(int sentenceId, int actorId) { + assert(actorId < ACTORS_COUNT); + _vm->gameWaitForActive(); _vm->loopActorSpeaking(); _vm->_adq->flush(1, true); - Actor *actor = (actorId == 99) ? _vm->_voiceoverActor : _vm->_actors[actorId]; + Actor *actor = _vm->_actors[actorId]; actor->speechPlay(sentenceId, true); Player_Loses_Control(); @@ -458,7 +460,7 @@ void ScriptBase::Actor_Start_Speech_Sample(int actorId, int sentenceId) { void ScriptBase::Actor_Start_Voice_Over_Sample(int sentenceId) { _vm->loopActorSpeaking(); - _vm->_voiceoverActor->speechPlay(sentenceId, true); + _vm->_actors[VOICEOVER_ACTOR]->speechPlay(sentenceId, true); } int ScriptBase::Actor_Query_Which_Set_In(int actorId) { @@ -646,11 +648,11 @@ bool ScriptBase::Actor_Clue_Query(int actorId, int clueId) { } void ScriptBase::Actor_Clues_Transfer_New_To_Mainframe(int actorId) { - _vm->_actors[actorId]->copyClues(99); + _vm->_actors[actorId]->copyClues(VOICEOVER_ACTOR); } void ScriptBase::Actor_Clues_Transfer_New_From_Mainframe(int actorId) { - _vm->_voiceoverActor->copyClues(actorId); + _vm->_actors[VOICEOVER_ACTOR]->copyClues(actorId); } void ScriptBase::Actor_Set_Invisible(int actorId, bool isInvisible) { -- cgit v1.2.3