duuqnd/cave-story-solaris
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

src/TextScr.cpp: Do not crash when TSC files are too big with FIX_BUGS

Browse source 
Signed-off-by: Gabriel Ravier <gabravier@gmail.com>
This commit is contained in:
Gabriel Ravier 2020-07-02 16:43:13 +02:00
parent 143f3b9646
commit ff25ddfef0
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
src/TextScr.cpp
View file

@ -172,6 +172,11 @@ BOOL LoadTextScript_Stage(const char *name)
return FALSE;
// Read Head.tsc. Note that head_size may exceed the size of 'gTS.data' (TSC_BUFFER_SIZE)
#ifdef FIX_BUGS
if (head_size > TSC_BUFFER_SIZE) // The original doesn't check for any kind of buffer overflow here, so feeding in a 1 MiB Head.tsc (assuming an unchanged TSC_BUFFER_SIZE) would be sure to crash the game, for example.
return FALSE;
#endif
fread(gTS.data, 1, head_size, fp);
EncryptionBinaryData2((unsigned char*)gTS.data, head_size);
gTS.data[head_size] = '\0';
@ -189,6 +194,11 @@ BOOL LoadTextScript_Stage(const char *name)
return FALSE;
// Read stage's tsc. Note that head_size + body_size may exceed the size of 'gTS.data' (TSC_BUFFER_SIZE)
#ifdef FIX_BUGS
if ((head_size + body_size) > TSC_BUFFER_SIZE) // Same as above, the original doesn't bother checking and may crash on large enough input
return FALSE;
#endif
fread(&gTS.data[head_size], 1, body_size, fp);
EncryptionBinaryData2((unsigned char*)&gTS.data[head_size], body_size);
gTS.data[head_size + body_size] = '\0';