From 99073f9b57580570b5ecec4cb00f020867f02672 Mon Sep 17 00:00:00 2001 From: Filippos Karapetis Date: Tue, 23 Dec 2014 02:20:17 +0200 Subject: ZVISION: Fix some buffer overruns with the usage of sscanf() --- engines/zvision/scripting/actions.cpp | 18 +++++++++--------- engines/zvision/scripting/controls/input_control.cpp | 2 +- engines/zvision/scripting/controls/lever_control.cpp | 4 ++-- 3 files changed, 12 insertions(+), 12 deletions(-) (limited to 'engines/zvision/scripting') diff --git a/engines/zvision/scripting/actions.cpp b/engines/zvision/scripting/actions.cpp index 2a5046f146..5af847c61a 100644 --- a/engines/zvision/scripting/actions.cpp +++ b/engines/zvision/scripting/actions.cpp @@ -363,7 +363,7 @@ ActionInventory::ActionInventory(ZVision *engine, int32 slotkey, const Common::S _key = 0; char buf[25]; - sscanf(line.c_str(), "%25s %d", buf, &_key); + sscanf(line.c_str(), "%24s %d", buf, &_key); if (strcmp(buf, "add") == 0) { _type = 0; @@ -414,7 +414,7 @@ ActionKill::ActionKill(ZVision *engine, int32 slotkey, const Common::String &lin _key = 0; _type = 0; char keytype[25]; - sscanf(line.c_str(), "%25s", keytype); + sscanf(line.c_str(), "%24s", keytype); if (keytype[0] == '"') { if (!scumm_stricmp(keytype, "\"ANIM\"")) _type = SideFX::SIDEFX_ANIM; @@ -475,7 +475,7 @@ ActionMusic::ActionMusic(ZVision *engine, int32 slotkey, const Common::String &l uint loop = 0; uint volume = 255; - sscanf(line.c_str(), "%u %25s %u %u", &type, fileNameBuffer, &loop, &volume); + sscanf(line.c_str(), "%u %24s %u %u", &type, fileNameBuffer, &loop, &volume); // type 4 are midi sound effect files if (type == 4) { @@ -578,7 +578,7 @@ ActionPreloadAnimation::ActionPreloadAnimation(ZVision *engine, int32 slotkey, c char fileName[25]; // The two %*u are usually 0 and dont seem to have a use - sscanf(line.c_str(), "%25s %*u %*u %d %d", fileName, &_mask, &_framerate); + sscanf(line.c_str(), "%24s %*u %*u %d %d", fileName, &_mask, &_framerate); if (_mask > 0) { byte r, g, b; @@ -645,7 +645,7 @@ ActionPlayAnimation::ActionPlayAnimation(ZVision *engine, int32 slotkey, const C // The two %*u are always 0 and dont seem to have a use sscanf(line.c_str(), - "%25s %u %u %u %u %u %u %d %*u %*u %d %d", + "%24s %u %u %u %u %u %u %d %*u %*u %d %d", fileName, &_x, &_y, &_x2, &_y2, &_start, &_end, &_loopCount, &_mask, &_framerate); if (_mask > 0) { @@ -863,7 +863,7 @@ ActionSetPartialScreen::ActionSetPartialScreen(ZVision *engine, int32 slotkey, c char fileName[25]; int color; - sscanf(line.c_str(), "%u %u %25s %*u %d", &_x, &_y, fileName, &color); + sscanf(line.c_str(), "%u %u %24s %*u %d", &_x, &_y, fileName, &color); _fileName = Common::String(fileName); @@ -907,7 +907,7 @@ bool ActionSetPartialScreen::execute() { ActionSetScreen::ActionSetScreen(ZVision *engine, int32 slotkey, const Common::String &line) : ResultAction(engine, slotkey) { char fileName[25]; - sscanf(line.c_str(), "%25s", fileName); + sscanf(line.c_str(), "%24s", fileName); _fileName = Common::String(fileName); } @@ -966,7 +966,7 @@ ActionStreamVideo::ActionStreamVideo(ZVision *engine, int32 slotkey, const Commo char fileName[25]; uint skipline = 0; //skipline - render video with skip every second line, not skippable. - sscanf(line.c_str(), "%25s %u %u %u %u %u %u", fileName, &_x1, &_y1, &_x2, &_y2, &_flags, &skipline); + sscanf(line.c_str(), "%24s %u %u %u %u %u %u", fileName, &_x1, &_y1, &_x2, &_y2, &_flags, &skipline); _fileName = Common::String(fileName); _skippable = true; @@ -1017,7 +1017,7 @@ ActionSyncSound::ActionSyncSound(ZVision *engine, int32 slotkey, const Common::S char fileName[25]; int notUsed = 0; - sscanf(line.c_str(), "%d %d %25s", &_syncto, ¬Used, fileName); + sscanf(line.c_str(), "%d %d %24s", &_syncto, ¬Used, fileName); _fileName = Common::String(fileName); } diff --git a/engines/zvision/scripting/controls/input_control.cpp b/engines/zvision/scripting/controls/input_control.cpp index e75cc15743..d7734f6d7a 100644 --- a/engines/zvision/scripting/controls/input_control.cpp +++ b/engines/zvision/scripting/controls/input_control.cpp @@ -96,7 +96,7 @@ InputControl::InputControl(ZVision *engine, uint32 key, Common::SeekableReadStre } else if (param.matchString("cursor_animation", true)) { char fileName[25]; - sscanf(values.c_str(), "%25s %*u", fileName); + sscanf(values.c_str(), "%24s %*u", fileName); _animation = _engine->loadAnimation(fileName); _frame = -1; diff --git a/engines/zvision/scripting/controls/lever_control.cpp b/engines/zvision/scripting/controls/lever_control.cpp index 8faa18357c..bef51f0e91 100644 --- a/engines/zvision/scripting/controls/lever_control.cpp +++ b/engines/zvision/scripting/controls/lever_control.cpp @@ -64,12 +64,12 @@ LeverControl::LeverControl(ZVision *engine, uint32 key, Common::SeekableReadStre while (!stream.eos() && !line.contains('}')) { if (param.matchString("descfile", true)) { char levFileName[25]; - sscanf(values.c_str(), "%25s", levFileName); + sscanf(values.c_str(), "%24s", levFileName); parseLevFile(levFileName); } else if (param.matchString("cursor", true)) { char cursorName[25]; - sscanf(values.c_str(), "%25s", cursorName); + sscanf(values.c_str(), "%24s", cursorName); _cursor = _engine->getCursorManager()->getCursorId(Common::String(cursorName)); } -- cgit v1.2.3