From b7d5dd9187d472df73075c2bb92d0a4f71726df7 Mon Sep 17 00:00:00 2001
From: Colin Snover
Date: Mon, 14 Mar 2016 10:22:41 -0500
Subject: SCI32: Fix heap overflow (read) in kStringCopy

---
 engines/sci/engine/kstring.cpp | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'engines')

diff --git a/engines/sci/engine/kstring.cpp b/engines/sci/engine/kstring.cpp
index f598cf7457..6d61ad5f41 100644
--- a/engines/sci/engine/kstring.cpp
+++ b/engines/sci/engine/kstring.cpp
@@ -781,7 +781,8 @@ reg_t kStringCopy(EngineState *s, int argc, reg_t *argv) {
 	// Note: We're accessing from c_str() here because the
 	// string's size ignores the trailing 0 and therefore
 	// triggers an assert when doing string2[i + index2].
-	for (uint16 i = 0; i < count; i++)
+	uint16 size = MIN(string2Size, count);
+	for (uint16 i = 0; i < size; i++)
 		string1->setValue(i + index1, string2[i + index2]);
 
 	return argv[0];
-- 
cgit v1.2.3