diff options
| author | rubidium <rubidium@openttd.org> | 2011-08-12 18:36:47 +0000 |
|---|---|---|
| committer | rubidium <rubidium@openttd.org> | 2011-08-12 18:36:47 +0000 |
| commit | 81074e0ca2b8c7fa470db5b657998ac614a810de (patch) | |
| tree | 721f028bcea87ff250e6a8489890a8055dd8dbdc | |
| parent | c8f19a608da349bdb22e286054daa08d049baf84 (diff) | |
| download | openttd-81074e0ca2b8c7fa470db5b657998ac614a810de.tar.xz | |
(svn r22737) -Fix [FS#4717]: some corrupted savegames could crash OpenTTD instead of showing the "savegame corrupted" message
| -rw-r--r-- | src/saveload/cheat_sl.cpp | 2 | ||||
| -rw-r--r-- | src/saveload/company_sl.cpp | 1 | ||||
| -rw-r--r-- | src/saveload/strings_sl.cpp | 5 |
3 files changed, 8 insertions, 0 deletions
diff --git a/src/saveload/cheat_sl.cpp b/src/saveload/cheat_sl.cpp index 724c945df..aa5648a88 100644 --- a/src/saveload/cheat_sl.cpp +++ b/src/saveload/cheat_sl.cpp @@ -38,6 +38,8 @@ static void Load_CHTS() { Cheat *cht = (Cheat*)&_cheats; size_t count = SlGetFieldLength() / 2; + /* Cannot use lengthof because _cheats is of type Cheats, not Cheat */ + if (count > sizeof(_cheats) / sizeof(Cheat)) SlErrorCorrupt("Too many cheat values"); for (uint i = 0; i < count; i++) { cht[i].been_used = (SlReadByte() != 0); diff --git a/src/saveload/company_sl.cpp b/src/saveload/company_sl.cpp index f99e104f2..2684a0655 100644 --- a/src/saveload/company_sl.cpp +++ b/src/saveload/company_sl.cpp @@ -283,6 +283,7 @@ static void SaveLoad_PLYR_common(Company *c, CompanyProperties *cprops) SlObject(&cprops->cur_economy, _company_economy_desc); /* Write old economy entries. */ + if (cprops->num_valid_stat_ent > lengthof(cprops->old_economy)) SlErrorCorrupt("Too many old economy entries"); for (i = 0; i < cprops->num_valid_stat_ent; i++) { SlObject(&cprops->old_economy[i], _company_economy_desc); } diff --git a/src/saveload/strings_sl.cpp b/src/saveload/strings_sl.cpp index 6869a1af6..00180978b 100644 --- a/src/saveload/strings_sl.cpp +++ b/src/saveload/strings_sl.cpp @@ -126,7 +126,12 @@ static void Load_NAME() int index; while ((index = SlIterateArray()) != -1) { + if (index >= NUM_OLD_STRINGS) SlErrorCorrupt("Invalid old name index"); + if (SlGetFieldLength() > (uint)LEN_OLD_STRINGS) SlErrorCorrupt("Invalid old name length"); + SlArray(&_old_name_array[LEN_OLD_STRINGS * index], SlGetFieldLength(), SLE_UINT8); + /* Make sure the old name is null terminated */ + _old_name_array[LEN_OLD_STRINGS * index + LEN_OLD_STRINGS - 1] = '\0'; } } |