summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorrubidium <rubidium@openttd.org>2013-11-23 18:11:01 +0000
committerrubidium <rubidium@openttd.org>2013-11-23 18:11:01 +0000
commit1b9e32664f4b73fc61fe9f20fb9f184743fc1b06 (patch)
treecb190522dd8b6f91e7e58af0d2da2d61f3d0534f
parentcf130ce9d86253c4c4b91ff22c6ae27f8d165171 (diff)
downloadopenttd-1b9e32664f4b73fc61fe9f20fb9f184743fc1b06.tar.xz
(svn r26070) -Fix: prevent extremely huge size for data (1+GiB)
-rw-r--r--src/newgrf_config.cpp9
1 files changed, 8 insertions, 1 deletions
diff --git a/src/newgrf_config.cpp b/src/newgrf_config.cpp
index df8685030..337b3edd1 100644
--- a/src/newgrf_config.cpp
+++ b/src/newgrf_config.cpp
@@ -335,7 +335,14 @@ size_t GRFGetSizeOfDataSection(FILE *f)
if (fread(data, 1, header_len, f) == header_len) {
if (data[0] == 0 && data[1] == 0 && MemCmpT(data + 2, _grf_cont_v2_sig, 8) == 0) {
/* Valid container version 2, get data section size. */
- size_t offset = (data[13] << 24) | (data[12] << 16) | (data[11] << 8) | data[10];
+ size_t offset = ((size_t)data[13] << 24) | ((size_t)data[12] << 16) | ((size_t)data[11] << 8) | (size_t)data[10];
+ if (offset >= 1 * 1024 * 1024 * 1024) {
+ DEBUG(grf, 0, "Unexpectedly large offset for NewGRF");
+ /* Having more than 1 GiB of data is very implausible. Mostly because then
+ * all pools in OpenTTD are flooded already. Or it's just Action C all over.
+ * In any case, the offsets to graphics will likely not work either. */
+ return SIZE_MAX;
+ }
return header_len + offset;
}
}