libretro/scummvm
1
0
Fork 0
mirror of https://github.com/libretro/scummvm.git synced 2025-02-02 17:03:13 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

TINSEL: Fix out-of-bounds memory corruption

Browse Source 
for's condition is evaluated after the expression(s) so we ended up
reading invalid memory in ptp.
This commit is contained in:
Miro Kropacek 2023-09-09 16:08:34 +02:00 committed by Eugene Sandulenko
parent 06a64db61e
commit daca89fcc7
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
engines/tinsel/polygons.cpp
View File

@ -321,9 +321,10 @@ void Poly::nextPoly() {
nlistx = (const int32 *)(_pStart + (int)FROM_32(pnodelistx));
nlisty = (const int32 *)(_pStart + (int)FROM_32(pnodelisty));
if (TinselVersion == 0)
if (TinselVersion == 0) {
// Skip to the last 4 bytes of the record for the hScript value
_pData = pRecord + 0x62C;
}
hScript = nextLong(_pData);
}
@ -1886,7 +1887,11 @@ void InitPolygons(SCNHANDLE ph, int numPoly, bool bRestart) {
if (numPoly > 0) {
Poly ptp(_vm->_handle->LockMem(ph));
for (int i = 0; i < numPoly; ++i, ++ptp) {
for (int i = 0; i < numPoly; ++i) {
// 'ptp' has already been initialized in its c-tor
if (i > 0)
++ptp;
switch (ptp.getType()) {
case POLY_PATH:
InitPath(ptp, false, i, bRestart);