diff options
| author | yexo <yexo@openttd.org> | 2010-04-06 21:16:36 +0000 |
|---|---|---|
| committer | yexo <yexo@openttd.org> | 2010-04-06 21:16:36 +0000 |
| commit | faf5e19aaedfa5ec70ddde2ba7be60909899616a (patch) | |
| tree | 9b53414176322eb7ef240cfd522b89e35196f3a7 | |
| parent | 8da54d59eaacc3b6c7f686067e89c520e148546d (diff) | |
| download | openttd-faf5e19aaedfa5ec70ddde2ba7be60909899616a.tar.xz | |
(svn r19569) -Fix: possible buffer underflow in newgrf string code
| -rw-r--r-- | src/newgrf_text.cpp | 4 | ||||
| -rw-r--r-- | src/newgrf_text.h | 2 | ||||
| -rw-r--r-- | src/strings.cpp | 3 |
3 files changed, 5 insertions, 4 deletions
diff --git a/src/newgrf_text.cpp b/src/newgrf_text.cpp index 6cf10f1c8..a564e1917 100644 --- a/src/newgrf_text.cpp +++ b/src/newgrf_text.cpp @@ -636,7 +636,7 @@ void RewindTextRefStack() * @param argv the OpenTTD stack of values * @return the string control code to "execute" now */ -uint RemapNewGRFStringControlCode(uint scc, char **buff, const char **str, int64 *argv) +uint RemapNewGRFStringControlCode(uint scc, char *buf_start, char **buff, const char **str, int64 *argv) { if (_newgrf_textrefstack->used) { switch (scc) { @@ -663,7 +663,7 @@ uint RemapNewGRFStringControlCode(uint scc, char **buff, const char **str, int64 case SCC_NEWGRF_ROTATE_TOP_4_WORDS: _newgrf_textrefstack->RotateTop4Words(); break; case SCC_NEWGRF_PUSH_WORD: _newgrf_textrefstack->PushWord(Utf8Consume(str)); break; - case SCC_NEWGRF_UNPRINT: *buff -= Utf8Consume(str); break; + case SCC_NEWGRF_UNPRINT: *buff = max(*buff - Utf8Consume(str), buf_start); break; case SCC_NEWGRF_PRINT_STRING_ID: *argv = TTDPStringIDToOTTDStringIDMapping(_newgrf_textrefstack->PopUnsignedWord()); diff --git a/src/newgrf_text.h b/src/newgrf_text.h index d75246e25..bfd308ca3 100644 --- a/src/newgrf_text.h +++ b/src/newgrf_text.h @@ -28,7 +28,7 @@ void StopTextRefStackUsage(); void SwitchToNormalRefStack(); void SwitchToErrorRefStack(); void RewindTextRefStack(); -uint RemapNewGRFStringControlCode(uint scc, char **buff, const char **str, int64 *argv); +uint RemapNewGRFStringControlCode(uint scc, char *buf_start, char **buff, const char **str, int64 *argv); StringID TTDPStringIDToOTTDStringIDMapping(StringID string); diff --git a/src/strings.cpp b/src/strings.cpp index 59983a539..0d8b48eaf 100644 --- a/src/strings.cpp +++ b/src/strings.cpp @@ -554,11 +554,12 @@ static char *FormatString(char *buff, const char *str, int64 *argv, uint casei, WChar b; int64 *argv_orig = argv; uint modifier = 0; + char *buf_start = buff; while ((b = Utf8Consume(&str)) != '\0') { if (SCC_NEWGRF_FIRST <= b && b <= SCC_NEWGRF_LAST) { /* We need to pass some stuff as it might be modified; oh boy. */ - b = RemapNewGRFStringControlCode(b, &buff, &str, argv); + b = RemapNewGRFStringControlCode(b, buf_start, &buff, &str, argv); if (b == 0) continue; } |