From afd677c2c7a7e6dd088f64ff77bcb4fa154b4cc4 Mon Sep 17 00:00:00 2001 From: Travis Howell Date: Sat, 23 Oct 2010 02:18:08 +0000 Subject: SCUMM: Fix buffer overflow, that was causing crashes when saving in Backyard Baseball 2001/2003. svn-id: r53726 --- engines/scumm/he/script_v100he.cpp | 6 ++---- engines/scumm/he/script_v60he.cpp | 7 +++---- engines/scumm/he/script_v72he.cpp | 6 ++---- engines/scumm/scumm.cpp | 1 - engines/scumm/scumm.h | 2 +- 5 files changed, 8 insertions(+), 14 deletions(-) (limited to 'engines/scumm') diff --git a/engines/scumm/he/script_v100he.cpp b/engines/scumm/he/script_v100he.cpp index 3555f55d95..37861b4747 100644 --- a/engines/scumm/he/script_v100he.cpp +++ b/engines/scumm/he/script_v100he.cpp @@ -1623,13 +1623,11 @@ void ScummEngine_v100he::o100_roomOps() { case 137: byte buffer[256]; - int r; copyScriptString((byte *)buffer, sizeof(buffer)); - r = convertFilePath(buffer, sizeof(buffer)); - memcpy(_saveLoadFileName, buffer + r, sizeof(buffer) - r); - debug(1, "o100_roomOps: case 137: filename %s", _saveLoadFileName); + _saveLoadFileName = (char *)buffer + convertFilePath(buffer, sizeof(buffer)); + debug(1, "o100_roomOps: case 137: filename %s", _saveLoadFileName.c_str()); _saveLoadFlag = pop(); _saveLoadSlot = 255; diff --git a/engines/scumm/he/script_v60he.cpp b/engines/scumm/he/script_v60he.cpp index 8ade78c1b5..9d62a31f6d 100644 --- a/engines/scumm/he/script_v60he.cpp +++ b/engines/scumm/he/script_v60he.cpp @@ -283,15 +283,14 @@ void ScummEngine_v60he::o60_roomOps() { break; case 221: byte buffer[100]; - int len, r; + int len; convertMessageToString(_scriptPointer, buffer, sizeof(buffer)); len = resStrLen(_scriptPointer); _scriptPointer += len + 1; - r = convertFilePath(buffer, sizeof(buffer)); - memcpy(_saveLoadFileName, buffer + r, sizeof(buffer) - r); - debug(1, "o60_roomOps: case 221: filename %s", _saveLoadFileName); + _saveLoadFileName = (char *)buffer + convertFilePath(buffer, sizeof(buffer)); + debug(1, "o60_roomOps: case 221: filename %s", _saveLoadFileName.c_str()); _saveLoadFlag = pop(); _saveLoadSlot = 255; diff --git a/engines/scumm/he/script_v72he.cpp b/engines/scumm/he/script_v72he.cpp index bf3146adcd..fe51e583be 100644 --- a/engines/scumm/he/script_v72he.cpp +++ b/engines/scumm/he/script_v72he.cpp @@ -711,13 +711,11 @@ void ScummEngine_v72he::o72_roomOps() { case 221: byte buffer[256]; - int r; copyScriptString((byte *)buffer, sizeof(buffer)); - r = convertFilePath(buffer, sizeof(buffer)); - memcpy(_saveLoadFileName, buffer + r, sizeof(buffer) - r); - debug(1, "o72_roomOps: case 221: filename %s", _saveLoadFileName); + _saveLoadFileName = (char *)buffer + convertFilePath(buffer, sizeof(buffer)); + debug(1, "o72_roomOps: case 221: filename %s", _saveLoadFileName.c_str()); _saveLoadFlag = pop(); _saveLoadSlot = 255; diff --git a/engines/scumm/scumm.cpp b/engines/scumm/scumm.cpp index 68adeeffc2..c5b3dcf4e3 100644 --- a/engines/scumm/scumm.cpp +++ b/engines/scumm/scumm.cpp @@ -210,7 +210,6 @@ ScummEngine::ScummEngine(OSystem *syst, const DetectorResult &dr) _saveLoadSlot = 0; _lastSaveTime = 0; _saveTemporaryState = false; - memset(_saveLoadFileName, 0, sizeof(_saveLoadFileName)); memset(_saveLoadName, 0, sizeof(_saveLoadName)); memset(_localScriptOffsets, 0, sizeof(_localScriptOffsets)); _scriptPointer = NULL; diff --git a/engines/scumm/scumm.h b/engines/scumm/scumm.h index 90b9240579..33ed2e3763 100644 --- a/engines/scumm/scumm.h +++ b/engines/scumm/scumm.h @@ -659,7 +659,7 @@ protected: byte _saveLoadFlag, _saveLoadSlot; uint32 _lastSaveTime; bool _saveTemporaryState; - char _saveLoadFileName[32]; + Common::String _saveLoadFileName; char _saveLoadName[32]; bool saveState(Common::OutSaveFile *out, bool writeHeader = true); -- cgit v1.2.3