(svn r7475) -Fix (r7348): sanity check NewGRF action 8 strings for null terminator

2 files changed, 29 insertions, 4 deletions

diff --git a/newgrf.c b/newgrf.c
index 2f162f826..db28e6ee5 100644
--- a/newgrf.c
+++ b/newgrf.c
@@ -2466,6 +2466,7 @@ static void SkipIf(byte *buf, int len)
 	}
 }
 
+
 /* Action 0x08 (GLS_FILESCAN) */
 static void ScanInfo(byte *buf, int len)
 {
@@ -2473,16 +2474,30 @@ static void ScanInfo(byte *buf, int len)
 	uint32 grfid;
 	const char *name;
 	const char *info;
+	int name_len;
+	int info_len;
 
 	check_length(len, 8, "Info"); buf++;
 	version = grf_load_byte(&buf);
 	grfid = grf_load_dword(&buf);
-	name = (const char*)buf;
-	info = name + strlen(name) + 1;
 
 	_cur_grfconfig->grfid = grfid;
-	_cur_grfconfig->name  = TranslateTTDPatchCodes(name);
-	_cur_grfconfig->info  = TranslateTTDPatchCodes(info);
+
+	len -= 6;
+	name = (const char*)buf;
+	name_len = ttd_strnlen(name, len);
+
+	if (name_len < len) {
+		_cur_grfconfig->name = TranslateTTDPatchCodes(name);
+
+		len -= name_len + 1;
+		info = name + name_len + 1;
+		info_len = ttd_strnlen(info, len);
+
+		if (info_len < len) {
+			_cur_grfconfig->info  = TranslateTTDPatchCodes(info);
+		}
+	}
 
 	_skip_sprites = -1;
 }
diff --git a/string.h b/string.h
index d5f637719..2dbc06eee 100644
--- a/string.h
+++ b/string.h
@@ -46,6 +46,16 @@ typedef enum CharSetFilter {
 /** Convert the given string to lowercase, only works with ASCII! */
 void strtolower(char *str);
 
+
+/** Get the length of a string, within a limited buffer */
+static inline int ttd_strnlen(const char *str, int maxlen)
+{
+	const char *t;
+	for (t = str; *t != '\0' && t - str < maxlen; t++);
+	return t - str;
+}
+
+
 typedef uint32 WChar;
 
 /**