From c1462dda14e45e14f9070047d62f7b26130525b1 Mon Sep 17 00:00:00 2001
From: Kari Salminen
Date: Mon, 11 Aug 2008 20:18:33 +0000
Subject: Added a safeguard to readBundleFile so it shouldn't corrupt memory
 even if the input says the data's unpacked size is less than its packed size
 (This shouldn't ever happen with non-corrupted data).

svn-id: r33782
---
 engines/cine/part.cpp | 6 +++---
 engines/cine/part.h   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'engines/cine')

diff --git a/engines/cine/part.cpp b/engines/cine/part.cpp
index d2fecfc554..c1159a2012 100644
--- a/engines/cine/part.cpp
+++ b/engines/cine/part.cpp
@@ -212,18 +212,18 @@ int16 findFileInBundle(const char *fileName) {
 	return -1;
 }
 
-void readFromPart(int16 idx, byte *dataPtr) {
+void readFromPart(int16 idx, byte *dataPtr, uint32 maxSize) {
 	setMouseCursor(MOUSE_CURSOR_DISK);
 
 	g_cine->_partFileHandle.seek(partBuffer[idx].offset, SEEK_SET);
-	g_cine->_partFileHandle.read(dataPtr, partBuffer[idx].packedSize);
+	g_cine->_partFileHandle.read(dataPtr, MIN(partBuffer[idx].packedSize, maxSize));
 }
 
 byte *readBundleFile(int16 foundFileIdx) {
 	assert(foundFileIdx >= 0 && foundFileIdx < numElementInPart);
 	bool error = false;
 	byte *dataPtr = (byte *)calloc(partBuffer[foundFileIdx].unpackedSize, 1);
-	readFromPart(foundFileIdx, dataPtr);
+	readFromPart(foundFileIdx, dataPtr, partBuffer[foundFileIdx].unpackedSize);
 	if (partBuffer[foundFileIdx].unpackedSize > partBuffer[foundFileIdx].packedSize) {
 		CineUnpacker cineUnpacker;
 		error = !cineUnpacker.unpack(dataPtr, partBuffer[foundFileIdx].packedSize, dataPtr, partBuffer[foundFileIdx].unpackedSize);
diff --git a/engines/cine/part.h b/engines/cine/part.h
index 72dc944db3..a654a1aebc 100644
--- a/engines/cine/part.h
+++ b/engines/cine/part.h
@@ -44,7 +44,7 @@ void closePart(void);
 
 int16 findFileInBundle(const char *fileName);
 
-void readFromPart(int16 idx, byte *dataPtr);
+void readFromPart(int16 idx, byte *dataPtr, uint32 maxSize);
 
 byte *readBundleFile(int16 foundFileIdx);
 byte *readBundleSoundFile(const char *entryName, uint32 *size = 0);
-- 
cgit v1.2.3