(svn r12637) -Fix [FS#1913]: possible NULL pointer dereference when reading some NewGRF data.

2 files changed, 5 insertions, 7 deletions

diff --git a/src/network/core/config.h b/src/network/core/config.h
index e261ef2f0..33e79a9a7 100644
--- a/src/network/core/config.h
+++ b/src/network/core/config.h
@@ -38,14 +38,9 @@ enum {
 	/**
 	 * Maximum number of GRFs that can be sent.
 	 * This value is related to number of handles (files) OpenTTD can open.
-	 * This is currently 64 and about 10 are currently used when OpenTTD loads
-	 * without any NewGRFs. Therefore one can only load about 55 NewGRFs, so
-	 * this is not a limit, but rather a way to easily check whether the limit
-	 * imposed by the handle count is reached. Secondly it isn't possible to
-	 * send much more GRF IDs + MD5sums in the PACKET_UDP_SERVER_RESPONSE, due
-	 * to the limited size of UDP packets.
+	 * This is currently 64. Two are used for configuration and sound.
 	 */
-	NETWORK_MAX_GRF_COUNT         =   55,
+	NETWORK_MAX_GRF_COUNT         =   62,
 
 	NETWORK_NUM_LANGUAGES         =   36, ///< Number of known languages (to the network protocol) + 1 for 'any'.
 	/**
diff --git a/src/network/core/udp.cpp b/src/network/core/udp.cpp
index 6c8b56a53..77a4c81ae 100644
--- a/src/network/core/udp.cpp
+++ b/src/network/core/udp.cpp
@@ -221,6 +221,9 @@ void NetworkUDPSocketHandler::Recv_NetworkGameInfo(Packet *p, NetworkGameInfo *i
 			uint i;
 			uint num_grfs = p->Recv_uint8();
 
+			/* Broken/bad data. It cannot have that many NewGRFs. */
+			if (num_grfs > NETWORK_MAX_GRF_COUNT) return;
+
 			for (i = 0; i < num_grfs; i++) {
 				GRFConfig *c = CallocT<GRFConfig>(1);
 				this->Recv_GRFIdentifier(p, c);