From 6b95528b49e40117a309dab8cb593d140c783cf4 Mon Sep 17 00:00:00 2001
From: Colin Snover
Date: Mon, 13 Feb 2017 14:54:08 -0600
Subject: SCI32: Fix bad relocations of SCI3 objects

---
 engines/sci/engine/object.cpp | 1 +
 engines/sci/engine/script.cpp | 5 ++---
 2 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'engines')

diff --git a/engines/sci/engine/object.cpp b/engines/sci/engine/object.cpp
index 47d551980e..b507e36a77 100644
--- a/engines/sci/engine/object.cpp
+++ b/engines/sci/engine/object.cpp
@@ -140,6 +140,7 @@ bool Object::relocateSci0Sci21(SegmentId segment, int location, size_t scriptSiz
 
 bool Object::relocateSci3(SegmentId segment, uint32 location, int offset, size_t scriptSize) {
 	assert(_propertyOffsetsSci3.size());
+	assert(offset >= 0 && (uint)offset < scriptSize);
 
 	for (uint i = 0; i < _variables.size(); ++i) {
 		if (location == _propertyOffsetsSci3[i]) {
diff --git a/engines/sci/engine/script.cpp b/engines/sci/engine/script.cpp
index 1672f69975..f24437346b 100644
--- a/engines/sci/engine/script.cpp
+++ b/engines/sci/engine/script.cpp
@@ -764,13 +764,12 @@ void Script::relocateSci0Sci21(reg_t block) {
 
 void Script::relocateSci3(reg_t block) {
 	SciSpan<const byte> relocStart = _buf->subspan(_buf->getUint32SEAt(8));
-	//int count = _bufSize - READ_SCI11ENDIAN_UINT32(_buf + 8);
+	const uint relocCount = _buf->getUint16SEAt(18);
 
 	ObjMap::iterator it;
 	for (it = _objects.begin(); it != _objects.end(); ++it) {
 		SciSpan<const byte> seeker = relocStart;
-		while (seeker.size()) {
-			// TODO: Find out what UINT16 at (seeker + 8) means
+		for (uint i = 0; i < relocCount; ++i) {
 			it->_value.relocateSci3(block.getSegment(),
 						seeker.getUint32SEAt(0),
 						seeker.getUint32SEAt(4),
-- 
cgit v1.2.3