diff options
author | rubidium <rubidium@openttd.org> | 2013-11-23 18:11:01 +0000 |
---|---|---|
committer | rubidium <rubidium@openttd.org> | 2013-11-23 18:11:01 +0000 |
commit | 1b9e32664f4b73fc61fe9f20fb9f184743fc1b06 (patch) | |
tree | cb190522dd8b6f91e7e58af0d2da2d61f3d0534f | |
parent | cf130ce9d86253c4c4b91ff22c6ae27f8d165171 (diff) | |
download | openttd-1b9e32664f4b73fc61fe9f20fb9f184743fc1b06.tar.xz |
(svn r26070) -Fix: prevent extremely huge size for data (1+GiB)
-rw-r--r-- | src/newgrf_config.cpp | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/newgrf_config.cpp b/src/newgrf_config.cpp index df8685030..337b3edd1 100644 --- a/src/newgrf_config.cpp +++ b/src/newgrf_config.cpp @@ -335,7 +335,14 @@ size_t GRFGetSizeOfDataSection(FILE *f) if (fread(data, 1, header_len, f) == header_len) { if (data[0] == 0 && data[1] == 0 && MemCmpT(data + 2, _grf_cont_v2_sig, 8) == 0) { /* Valid container version 2, get data section size. */ - size_t offset = (data[13] << 24) | (data[12] << 16) | (data[11] << 8) | data[10]; + size_t offset = ((size_t)data[13] << 24) | ((size_t)data[12] << 16) | ((size_t)data[11] << 8) | (size_t)data[10]; + if (offset >= 1 * 1024 * 1024 * 1024) { + DEBUG(grf, 0, "Unexpectedly large offset for NewGRF"); + /* Having more than 1 GiB of data is very implausible. Mostly because then + * all pools in OpenTTD are flooded already. Or it's just Action C all over. + * In any case, the offsets to graphics will likely not work either. */ + return SIZE_MAX; + } return header_len + offset; } } |