diff options
author | rubidium <rubidium@openttd.org> | 2013-11-26 22:03:56 +0000 |
---|---|---|
committer | rubidium <rubidium@openttd.org> | 2013-11-26 22:03:56 +0000 |
commit | 70b2093ddb18bfffff5d2f80e29ce29aaa242478 (patch) | |
tree | a3c207d1760eb586669800c4bf2e6ffaf7784735 | |
parent | b0a6efc7b3e1e0180271aafcdac135caecc86e74 (diff) | |
download | openttd-70b2093ddb18bfffff5d2f80e29ce29aaa242478.tar.xz |
(svn r26132) -Fix-ish: prevent issues due to overflowing multiplications by limiting the size of full zoom sprites to about 32kix32ki
-rw-r--r-- | src/spriteloader/grf.cpp | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/spriteloader/grf.cpp b/src/spriteloader/grf.cpp index 2de58dc6f..678ebb79a 100644 --- a/src/spriteloader/grf.cpp +++ b/src/spriteloader/grf.cpp @@ -235,6 +235,11 @@ uint8 LoadSpriteV1(SpriteLoader::Sprite *sprite, uint8 file_slot, size_t file_po sprite[zoom_lvl].x_offs = FioReadWord(); sprite[zoom_lvl].y_offs = FioReadWord(); + if (sprite[zoom_lvl].width > INT16_MAX) { + WarnCorruptSprite(file_slot, file_pos, __LINE__); + return 0; + } + /* 0x02 indicates it is a compressed sprite, so we can't rely on 'num' to be valid. * In case it is uncompressed, the size is 'num' - 8 (header-size). */ num = (type & 0x02) ? sprite[zoom_lvl].width * sprite[zoom_lvl].height : num - 8; @@ -283,6 +288,11 @@ uint8 LoadSpriteV2(SpriteLoader::Sprite *sprite, uint8 file_slot, size_t file_po sprite[zoom_lvl].x_offs = FioReadWord(); sprite[zoom_lvl].y_offs = FioReadWord(); + if (sprite[zoom_lvl].width > INT16_MAX || sprite[zoom_lvl].height > INT16_MAX) { + WarnCorruptSprite(file_slot, file_pos, __LINE__); + return 0; + } + /* Mask out colour information. */ type = type & ~SCC_MASK; |