libretro/scummvm
1
0
Fork 0
mirror of https://github.com/libretro/scummvm.git synced 2025-02-03 01:15:58 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

KYRA: (LOL) Fix buffer overflow in _lastOverridePalFile

Browse Source 
It was storing filenames of length 12 in a char[12] buffer.
Fixes bug #9627.
This commit is contained in:
Willem Jan Palenstijn 2016-10-25 23:11:13 +02:00
parent 97bc65e82f
commit b4515d0872
2 changed files with 7 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
engines/kyra/lol.h
View File

@ -987,8 +987,7 @@ private:
uint16 _specialGuiShapeY;
uint16 _specialGuiShapeMirrorFlag;
char _lastOverridePalFile[12];
char *_lastOverridePalFilePtr;
Common::String _lastOverridePalFile;
int _lastSpecialColor;
int _lastSpecialColorWeight;

14
engines/kyra/scene_lol.cpp
View File

@ -303,12 +303,10 @@ void LoLEngine::loadLevelGraphics(const char *file, int specialColor, int weight
_lastSpecialColor = specialColor;
_lastSpecialColorWeight = weight;
strcpy(_lastBlockDataFile, file);
if (palFile) {
strcpy(_lastOverridePalFile, palFile);
_lastOverridePalFilePtr = _lastOverridePalFile;
} else {
_lastOverridePalFilePtr = 0;
}
if (palFile)
_lastOverridePalFile = palFile;
else
_lastOverridePalFile.clear();
}
if (_flags.use16ColorMode) {
@ -361,8 +359,8 @@ void LoLEngine::loadLevelGraphics(const char *file, int specialColor, int weight
memcpy(_vcnColTable, v, 128);
v += 128;
if (_lastOverridePalFilePtr) {
_res->loadFileToBuf(_lastOverridePalFilePtr, _screen->getPalette(0).getData(), 384);
if (!_lastOverridePalFile.empty()) {
_res->loadFileToBuf(_lastOverridePalFile.c_str(), _screen->getPalette(0).getData(), 384);
} else {
_screen->getPalette(0).copy(v, 0, 128);
}