libretro/scummvm
1
0
Fork 0
mirror of https://github.com/libretro/scummvm.git synced 2025-03-06 18:27:26 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

XEEN: Fix read of freed data in multiple rapid playFX calls

Browse Source
This commit is contained in:
Paul Gilbert 2018-04-12 19:13:35 -04:00
parent 13c828801e
commit 55c2a6001c
2 changed files with 20 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
engines/xeen/sound.cpp
View File

@ -121,29 +121,29 @@ void Sound::updateSoundSettings() {
void Sound::loadEffectsData() {
// Stop any prior FX
stopFX();
delete[] _effectsData;
// Load in an entire driver so we have quick access to the effects data
// that's hardcoded within it
File file("blastmus");
byte *effectsData = new byte[file.size()];
file.seek(0);
file.read(effectsData, file.size());
file.close();
_effectsData = effectsData;
if (!_effectsData) {
// Load in an entire driver so we have quick access to the effects data that's hardcoded within it
File file("blastmus");
byte *effectsData = new byte[file.size()];
file.seek(0);
file.read(effectsData, file.size());
file.close();
_effectsData = effectsData;
// Locate the playFX routine
const byte *fx = effectsData + READ_LE_UINT16(effectsData + 10) + 12;
assert(READ_BE_UINT16(fx + 28) == 0x81FB);
uint numEffects = READ_LE_UINT16(fx + 30);
// Locate the playFX routine
const byte *fx = effectsData + READ_LE_UINT16(effectsData + 10) + 12;
assert(READ_BE_UINT16(fx + 28) == 0x81FB);
uint numEffects = READ_LE_UINT16(fx + 30);
assert(READ_BE_UINT16(fx + 36) == 0x8B87);
const byte *table = effectsData + READ_LE_UINT16(fx + 38);
assert(READ_BE_UINT16(fx + 36) == 0x8B87);
const byte *table = effectsData + READ_LE_UINT16(fx + 38);
// Extract the effects offsets
_effectsOffsets.resize(numEffects);
for (uint idx = 0; idx < numEffects; ++idx)
_effectsOffsets[idx] = READ_LE_UINT16(&table[idx * 2]);
// Extract the effects offsets
_effectsOffsets.resize(numEffects);
for (uint idx = 0; idx < numEffects; ++idx)
_effectsOffsets[idx] = READ_LE_UINT16(&table[idx * 2]);
}
}
void Sound::playFX(uint effectId) {

5
engines/xeen/sound_driver.cpp
View File

@ -126,10 +126,7 @@ bool SoundDriver::musSkipWord(const byte *&srcP, byte param) {
bool SoundDriver::cmdFreezeFrequency(const byte *&srcP, byte param) {
debugC(3, kDebugSound, "cmdFreezeFrequency %d", param);
if (param >= _channels.size())
warning("Invalid channel %d in cmdFreezeFrequency call", param);
else
_channels[param]._changeFrequency = false;
_channels[param]._changeFrequency = false;
return false;
}