From b4515d087257e1ab27712dc1bffece3f1cd39391 Mon Sep 17 00:00:00 2001
From: Willem Jan Palenstijn
Date: Tue, 25 Oct 2016 23:11:13 +0200
Subject: KYRA: (LOL) Fix buffer overflow in _lastOverridePalFile

It was storing filenames of length 12 in a char[12] buffer.
Fixes bug #9627.
---
 engines/kyra/scene_lol.cpp | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

(limited to 'engines/kyra/scene_lol.cpp')

diff --git a/engines/kyra/scene_lol.cpp b/engines/kyra/scene_lol.cpp
index 391de5e49c..a746080190 100644
--- a/engines/kyra/scene_lol.cpp
+++ b/engines/kyra/scene_lol.cpp
@@ -303,12 +303,10 @@ void LoLEngine::loadLevelGraphics(const char *file, int specialColor, int weight
 		_lastSpecialColor = specialColor;
 		_lastSpecialColorWeight = weight;
 		strcpy(_lastBlockDataFile, file);
-		if (palFile) {
-			strcpy(_lastOverridePalFile, palFile);
-			_lastOverridePalFilePtr = _lastOverridePalFile;
-		} else {
-			_lastOverridePalFilePtr = 0;
-		}
+		if (palFile)
+			_lastOverridePalFile = palFile;
+		else
+			_lastOverridePalFile.clear();
 	}
 
 	if (_flags.use16ColorMode) {
@@ -361,8 +359,8 @@ void LoLEngine::loadLevelGraphics(const char *file, int specialColor, int weight
 		memcpy(_vcnColTable, v, 128);
 		v += 128;
 
-		if (_lastOverridePalFilePtr) {
-			_res->loadFileToBuf(_lastOverridePalFilePtr, _screen->getPalette(0).getData(), 384);
+		if (!_lastOverridePalFile.empty()) {
+			_res->loadFileToBuf(_lastOverridePalFile.c_str(), _screen->getPalette(0).getData(), 384);
 		} else {
 			_screen->getPalette(0).copy(v, 0, 128);
 		}
-- 
cgit v1.2.3