From f20015f52668fe94c77e60cbc95bd3d1f6fdbba7 Mon Sep 17 00:00:00 2001
From: Adrian Frühwirth
Date: Wed, 18 Apr 2018 20:02:08 +0200
Subject: ZVISION: Fix crash when loading a savegame

Commit 00e59a3122 introduced a change to savegame handling which
results in savegame thumbnails only being loaded when necessary.
ZVISION's readSaveGameHeader() doesn't under all circumstances
initialize the thumbnail pointer and 00e59a3122 failed to remove an
otherwise unnecessary delete which resulted in the uninitialized
thumbnail pointer being passed to delete (UB).

Thanks to eriktorbjorn for noticing.
---
 engines/zvision/file/save_manager.cpp | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/engines/zvision/file/save_manager.cpp b/engines/zvision/file/save_manager.cpp
index b33d33cdf1..4676272146 100644
--- a/engines/zvision/file/save_manager.cpp
+++ b/engines/zvision/file/save_manager.cpp
@@ -162,8 +162,6 @@ Common::Error SaveManager::loadGame(int slot) {
 	scriptManager->deserialize(saveFile);
 
 	delete saveFile;
-	if (header.thumbnail)
-		delete header.thumbnail;
 
 	if (_engine->getGameId() == GID_NEMESIS && scriptManager->getCurrentLocation() == "tv2f") {
 		// WORKAROUND for script bug #6793: location tv2f (stairs) has two states:
@@ -190,16 +188,19 @@ Common::Error SaveManager::loadGame(int slot) {
 }
 
 bool SaveManager::readSaveGameHeader(Common::InSaveFile *in, SaveGameHeader &header, bool skipThumbnail) {
+	header.saveYear    = 0;
+	header.saveMonth   = 0;
+	header.saveDay     = 0;
+	header.saveHour    = 0;
+	header.saveMinutes = 0;
+	header.saveName.clear();
+	header.thumbnail   = nullptr;
+	header.version     = 0;
+
 	uint32 tag = in->readUint32BE();
 	// Check if it's original savegame than fill header structure
 	if (tag == MKTAG('Z', 'N', 'S', 'G')) {
-		header.saveYear = 0;
-		header.saveMonth = 0;
-		header.saveDay = 0;
-		header.saveHour = 0;
-		header.saveMinutes = 0;
 		header.saveName = "Original Save";
-		header.thumbnail = NULL;
 		header.version = SAVE_ORIGINAL;
 		in->seek(-4, SEEK_CUR);
 		return true;
@@ -226,7 +227,6 @@ bool SaveManager::readSaveGameHeader(Common::InSaveFile *in, SaveGameHeader &hea
 	}
 
 	// Read in the save name
-	header.saveName.clear();
 	char ch;
 	while ((ch = (char)in->readByte()) != '\0')
 		header.saveName += ch;
-- 
cgit v1.2.3