libretro/scummvm
1
0
Fork 0
mirror of https://github.com/libretro/scummvm.git synced 2024-12-13 21:31:53 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

SHERLOCK: 3DO: add checks to ccb header reading

Browse Source 
verify that height+width from PRE0/PRE1 are correct
security check
This commit is contained in:
Martin Kiewitz 2015-06-13 17:18:59 +02:00
parent 45f27edb0a
commit cacf8fbcb0
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
engines/sherlock/image_file.cpp
View File

@ -391,8 +391,10 @@ void ImageFile3DO::load3DOCelFile(Common::SeekableReadStream &stream) {
uint16 ccbPPMP0 = 0;
uint16 ccbPPMP1 = 0;
uint32 ccbPRE0 = 0;
uint16 ccbPRE0_height = 0;
byte ccbPRE0_bitsPerPixel = 0;
uint32 ccbPRE1 = 0;
uint16 ccbPRE1_width = 0;
uint32 ccbWidth = 0;
uint32 ccbHeight = 0;
// pixel lookup table
@ -472,6 +474,11 @@ void ImageFile3DO::load3DOCelFile(Common::SeekableReadStream &stream) {
ccbPRE0_bitsPerPixel = imagefile3DO_cel_bitsPerPixelLookupTable[ccbPRE0 & 0x07];
if (!ccbPRE0_bitsPerPixel)
error("load3DOCelFile: Invalid CCB PRE0 bits per pixel");
ccbPRE0_height = ((ccbPRE0 >> 6) & 0x03FF) + 1;
ccbPRE1_width = (ccbPRE1 & 0x03FF) + 1;
assert(ccbPRE0_height == ccbHeight);
assert(ccbPRE1_width == ccbWidth);
break;
case MKTAG('P', 'L', 'U', 'T'):
@ -603,8 +610,10 @@ void ImageFile3DO::load3DOCelRoomData(Common::SeekableReadStream &stream) {
uint16 ccbPPMP0 = 0;
uint16 ccbPPMP1 = 0;
uint32 ccbPRE0 = 0;
uint16 ccbPRE0_height = 0;
byte ccbPRE0_bitsPerPixel = 0;
uint32 ccbPRE1 = 0;
uint16 ccbPRE1_width = 0;
uint32 ccbWidth = 0;
uint32 ccbHeight = 0;
// cel data
@ -636,6 +645,11 @@ void ImageFile3DO::load3DOCelRoomData(Common::SeekableReadStream &stream) {
if (!ccbPRE0_bitsPerPixel)
error("load3DOCelRoomData: Invalid CCB PRE0 bits per pixel");
ccbPRE0_height = ((ccbPRE0 >> 6) & 0x03FF) + 1;
ccbPRE1_width = (ccbPRE1 & 0x03FF) + 1;
assert(ccbPRE0_height == ccbHeight);
assert(ccbPRE1_width == ccbWidth);
if (ccbPRE0_bitsPerPixel != 16) {
// We currently support 16-bits per pixel in here
error("load3DOCelRoomData: bits per pixel < 16?!?!?");