From 84d8ac4c38bd2aabbbc7ad85ae257db69ba33574 Mon Sep 17 00:00:00 2001
From: Colin Snover
Date: Sun, 11 Sep 2016 20:59:39 -0500
Subject: SCI32: Fix buffer overflow when drawing border to a tiny text bitmap

---
 engines/sci/graphics/text32.cpp | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'engines/sci')

diff --git a/engines/sci/graphics/text32.cpp b/engines/sci/graphics/text32.cpp
index 11572581ff..254c7d92e6 100644
--- a/engines/sci/graphics/text32.cpp
+++ b/engines/sci/graphics/text32.cpp
@@ -183,13 +183,15 @@ void GfxText32::drawFrame(const Common::Rect &rect, const int16 size, const uint
 
 	// NOTE: Not fully disassembled, but this should be right
 	int16 rectWidth = targetRect.width();
-	int16 sidesHeight = targetRect.height() - size * 2;
+	int16 heightRemaining = targetRect.height();
+	int16 sidesHeight = heightRemaining - size * 2;
 	int16 centerWidth = rectWidth - size * 2;
 	int16 stride = _width - rectWidth;
 
-	for (int16 y = 0; y < size; ++y) {
+	for (int16 y = 0; y < size && y < heightRemaining; ++y) {
 		memset(pixels, color, rectWidth);
 		pixels += _width;
+		--heightRemaining;
 	}
 	for (int16 y = 0; y < sidesHeight; ++y) {
 		for (int16 x = 0; x < size; ++x) {
@@ -201,9 +203,10 @@ void GfxText32::drawFrame(const Common::Rect &rect, const int16 size, const uint
 		}
 		pixels += stride;
 	}
-	for (int16 y = 0; y < size; ++y) {
+	for (int16 y = 0; y < size && y < heightRemaining; ++y) {
 		memset(pixels, color, rectWidth);
 		pixels += _width;
+		--heightRemaining;
 	}
 }
 
-- 
cgit v1.2.3