summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorrubidium <rubidium@openttd.org>2013-11-26 22:03:56 +0000
committerrubidium <rubidium@openttd.org>2013-11-26 22:03:56 +0000
commit70b2093ddb18bfffff5d2f80e29ce29aaa242478 (patch)
treea3c207d1760eb586669800c4bf2e6ffaf7784735
parentb0a6efc7b3e1e0180271aafcdac135caecc86e74 (diff)
downloadopenttd-70b2093ddb18bfffff5d2f80e29ce29aaa242478.tar.xz
(svn r26132) -Fix-ish: prevent issues due to overflowing multiplications by limiting the size of full zoom sprites to about 32kix32ki
-rw-r--r--src/spriteloader/grf.cpp10
1 files changed, 10 insertions, 0 deletions
diff --git a/src/spriteloader/grf.cpp b/src/spriteloader/grf.cpp
index 2de58dc6f..678ebb79a 100644
--- a/src/spriteloader/grf.cpp
+++ b/src/spriteloader/grf.cpp
@@ -235,6 +235,11 @@ uint8 LoadSpriteV1(SpriteLoader::Sprite *sprite, uint8 file_slot, size_t file_po
sprite[zoom_lvl].x_offs = FioReadWord();
sprite[zoom_lvl].y_offs = FioReadWord();
+ if (sprite[zoom_lvl].width > INT16_MAX) {
+ WarnCorruptSprite(file_slot, file_pos, __LINE__);
+ return 0;
+ }
+
/* 0x02 indicates it is a compressed sprite, so we can't rely on 'num' to be valid.
* In case it is uncompressed, the size is 'num' - 8 (header-size). */
num = (type & 0x02) ? sprite[zoom_lvl].width * sprite[zoom_lvl].height : num - 8;
@@ -283,6 +288,11 @@ uint8 LoadSpriteV2(SpriteLoader::Sprite *sprite, uint8 file_slot, size_t file_po
sprite[zoom_lvl].x_offs = FioReadWord();
sprite[zoom_lvl].y_offs = FioReadWord();
+ if (sprite[zoom_lvl].width > INT16_MAX || sprite[zoom_lvl].height > INT16_MAX) {
+ WarnCorruptSprite(file_slot, file_pos, __LINE__);
+ return 0;
+ }
+
/* Mask out colour information. */
type = type & ~SCC_MASK;