From fc582c0e5975b0591268694fd02430504242b4a2 Mon Sep 17 00:00:00 2001 From: Walter van Niftrik Date: Wed, 6 Jan 2010 20:22:00 +0000 Subject: SCI: Fix overflow in LZS decompressor svn-id: r47090 --- engines/sci/decompressor.cpp | 10 ++++++---- engines/sci/decompressor.h | 4 ++-- 2 files changed, 8 insertions(+), 6 deletions(-) (limited to 'engines') diff --git a/engines/sci/decompressor.cpp b/engines/sci/decompressor.cpp index c213fca1ed..7d5064fca2 100644 --- a/engines/sci/decompressor.cpp +++ b/engines/sci/decompressor.cpp @@ -901,7 +901,8 @@ int DecompressorLZS::unpack(Common::ReadStream *src, byte *dest, uint32 nPacked, } int DecompressorLZS::unpackLZS() { - uint16 offs = 0, clen; + uint16 offs = 0; + uint32 clen; while (!isFinished()) { if (getBitsMSB(1)) { // Compressed bytes follow @@ -928,8 +929,9 @@ int DecompressorLZS::unpackLZS() { return _dwWrote == _szUnpacked ? 0 : SCI_ERROR_DECOMPRESSION_ERROR; } -uint16 DecompressorLZS::getCompLen() { - int clen, nibble; +uint32 DecompressorLZS::getCompLen() { + uint32 clen; + int nibble; // The most probable cases are hardcoded switch (getBitsMSB(2)) { case 0: @@ -958,7 +960,7 @@ uint16 DecompressorLZS::getCompLen() { } } -void DecompressorLZS::copyComp(int offs, int clen) { +void DecompressorLZS::copyComp(int offs, uint32 clen) { int hpos = _dwWrote - offs; while (clen--) diff --git a/engines/sci/decompressor.h b/engines/sci/decompressor.h index b49452ebc3..ed363621e8 100644 --- a/engines/sci/decompressor.h +++ b/engines/sci/decompressor.h @@ -192,8 +192,8 @@ public: int unpack(Common::ReadStream *src, byte *dest, uint32 nPacked, uint32 nUnpacked); protected: int unpackLZS(); - uint16 getCompLen(); - void copyComp(int offs, int clen); + uint32 getCompLen(); + void copyComp(int offs, uint32 clen); }; #endif -- cgit v1.2.3