From 32f9b9243117a59b62e381655e7e253e6e6fad00 Mon Sep 17 00:00:00 2001
From: Strangerke
Date: Wed, 8 Jun 2016 07:46:35 +0200
Subject: GNAP: Fix potential out of bound write

---
 engines/gnap/gamesys.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'engines/gnap/gamesys.cpp')

diff --git a/engines/gnap/gamesys.cpp b/engines/gnap/gamesys.cpp
index d31854d06e..11ef6fd3d7 100644
--- a/engines/gnap/gamesys.cpp
+++ b/engines/gnap/gamesys.cpp
@@ -1116,7 +1116,10 @@ void GameSys::fatUpdateFrame() {
 	if (_newSpriteDrawItemsCount > 0) {
 		debugC(kDebugBasic, "_newSpriteDrawItemsCount: %d", _newSpriteDrawItemsCount);
 		for (int k = 0; k < _newSpriteDrawItemsCount; ++k) {
-			if (_gfxItemsCount < 50) {
+			// The original was allowing a buffer overflow.
+			// In order to fit in memory, insertIndex + 1 + (_gfxItemsCount - InsertIndex) must be
+			// smaller than the size _gfxItems array (50).
+			if (_gfxItemsCount + 1 < 50) {
 				int insertIndex;
 				seqLocateGfx(-1, _newSpriteDrawItems[k]._id, &insertIndex);
 				if (_gfxItemsCount != insertIndex)
-- 
cgit v1.2.3