X Tutup
Skip to content
/ scummvm Public

SCUMM: Add some bounds-checking to o5_stringOps() (bug #15884)#6586

Merged
bluegr merged 1 commit intoscummvm:masterfrom
eriktorbjorn:scumm-string-bounds-fix
May 2, 2025
Merged

SCUMM: Add some bounds-checking to o5_stringOps() (bug #15884)#6586
bluegr merged 1 commit intoscummvm:masterfrom
eriktorbjorn:scumm-string-bounds-fix

Conversation

@eriktorbjorn
Copy link
Member

@eriktorbjorn eriktorbjorn commented May 2, 2025

As described in https://bugs.scummvm.org/ticket/15884 there appears to be a script bug in the Fate of Atlantis copy protection. This is basically what the room-81-204 script does:

if (VAR_VIRT_MOUSE_X >= 53 && VAR_VIRT_MOUSE_X <= 261) {
    // Check what part of the copy protection stones the mouse is over...
    x = (VAR_VIRT_MOUSE_X - 53) / 16;
    y = (VAR_VIRT_MOUSE_Y - 21) / 10;
    ch = STR35[y * 10 + x]

    // ... and act on it

So it verifies that the mouse X position is within the copy protection stones, but doesn't care about the Y position. As you move the mouse to the top of the screen, negative indexes become first possible, and then inevitable.

In this particular script, we should return 48 (ASCII for "0") to indicate a non-clickable part of the stones. But anything that isn't 49-56 goes to the same "do nothing" default case so returning 0 should work just as well, and now we have well defined behavior across all games.

I don't know of any game that tries to write outside a string, but it doesn't hurt to catch that case as well.

SCUMM: Add some bounds-checking to o5_stringOps() (bug #15884)
e527f53 
This is primarily to fix out-of-bounds reads in the Fate of Atlantis
copy protection script, but it doesn't hurt to do it always. And we may
as well stop out-of-bounds writes while we're at it.
@bluegr
Copy link
Member

bluegr commented May 2, 2025

Thanks!

Bounds checking on strings is a step towards the right direction :)
Plus, it will definitely help in identifying weird issues like the ones we had in some bug reports for The Dig.

@bluegr bluegr merged commit 524ce37 into scummvm:master May 2, 2025
8 checks passed
@eriktorbjorn
Copy link
Member Author

eriktorbjorn commented May 2, 2025

I just noticed that VGA Loom seems to write outside a string resource when starting the game:

WARNING: o5_stringOps: Writing 9 to string 21 (size 12) out of bounds (12)!

I wonder what that string resource is used for.

@eriktorbjorn
Copy link
Member Author

eriktorbjorn commented May 2, 2025
edited
Loading

It looks like the resource manager allocates 2 extra bytes for each resource? (See SAFETY_AREA in the resource manager.) So it's possible some out of bounds access has been harmless in the past. Let's see if this new bounds checking breaks anything. We should probably not merge it to 2.9 anyway.

@eriktorbjorn
Copy link
Member Author

eriktorbjorn commented May 2, 2025

I've relaxed the bounds checking so that reading/writing to the "safety area" is allowed, though a warning is still printed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eriktorbjorn @bluegr
X Tutup