summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormichi_cc <michi_cc@openttd.org>2011-09-02 20:16:41 +0000
committermichi_cc <michi_cc@openttd.org>2011-09-02 20:16:41 +0000
commit65637d89411e96dee5ee9fc2e8a7b3805c4162a2 (patch)
tree79fdfb3cefba4457d3b81760173c5ca68e359a81
parent6c7cbb1d46d266d33e49bd42a52e483296313882 (diff)
downloadopenttd-65637d89411e96dee5ee9fc2e8a7b3805c4162a2.tar.xz
(svn r22874) -Fix [FS#4747]: Check size of various buffers before allocation. (monoid)
-rw-r--r--src/fontcache.cpp3
-rw-r--r--src/openttd.cpp9
-rw-r--r--src/script/squirrel_helper.hpp3
-rw-r--r--src/sound.cpp3
-rw-r--r--src/sound/win32_s.cpp2
5 files changed, 15 insertions, 5 deletions
diff --git a/src/fontcache.cpp b/src/fontcache.cpp
index b279c3463..616c54a9e 100644
--- a/src/fontcache.cpp
+++ b/src/fontcache.cpp
@@ -1034,6 +1034,9 @@ const Sprite *GetGlyph(FontSize size, WChar key)
width = max(1, slot->bitmap.width + (size == FS_NORMAL));
height = max(1, slot->bitmap.rows + (size == FS_NORMAL));
+ /* Limit glyph size to prevent overflows later on. */
+ if (width > 256 || height > 256) usererror("Font glyph is too large");
+
/* FreeType has rendered the glyph, now we allocate a sprite and copy the image into it */
sprite.AllocateData(width * height);
sprite.width = width;
diff --git a/src/openttd.cpp b/src/openttd.cpp
index 5cd5eba37..af1f77f4e 100644
--- a/src/openttd.cpp
+++ b/src/openttd.cpp
@@ -596,11 +596,12 @@ int ttd_main(int argc, char *argv[])
/*
* The width and height must be at least 1 pixel and width times
- * height must still fit within a 32 bits integer, this way all
- * internal drawing routines work correctly.
+ * height times bytes per pixel must still fit within a 32 bits
+ * integer, even for 32 bpp video modes. This way all internal
+ * drawing routines work correctly.
*/
- _cur_resolution.width = ClampU(_cur_resolution.width, 1, UINT16_MAX);
- _cur_resolution.height = ClampU(_cur_resolution.height, 1, UINT16_MAX);
+ _cur_resolution.width = ClampU(_cur_resolution.width, 1, UINT16_MAX / 2);
+ _cur_resolution.height = ClampU(_cur_resolution.height, 1, UINT16_MAX / 2);
/* enumerate language files */
InitializeLanguagePacks();
diff --git a/src/script/squirrel_helper.hpp b/src/script/squirrel_helper.hpp
index a7d0bf7ba..babdf74b3 100644
--- a/src/script/squirrel_helper.hpp
+++ b/src/script/squirrel_helper.hpp
@@ -118,6 +118,9 @@ namespace SQConvert {
template <> inline Array *GetParam(ForceType<Array *>, HSQUIRRELVM vm, int index, SQAutoFreePointers *ptr)
{
+ /* Sanity check of the size. */
+ if (sq_getsize(vm, index) > UINT16_MAX) throw sq_throwerror(vm, _SC("an array used as parameter to a function is too large"));
+
SQObject obj;
sq_getstackobj(vm, index, &obj);
sq_pushobject(vm, obj);
diff --git a/src/sound.cpp b/src/sound.cpp
index 283407882..89d22244c 100644
--- a/src/sound.cpp
+++ b/src/sound.cpp
@@ -110,7 +110,8 @@ static bool SetBankSource(MixerChannel *mc, const SoundEntry *sound)
{
assert(sound != NULL);
- if (sound->file_size == 0) return false;
+ /* Check for valid sound size. */
+ if (sound->file_size == 0 || sound->file_size > ((size_t)-1) - 2) return false;
int8 *mem = MallocT<int8>(sound->file_size + 2);
/* Add two extra bytes so rate conversion can read these
diff --git a/src/sound/win32_s.cpp b/src/sound/win32_s.cpp
index c0e5da5d2..ef3f98f40 100644
--- a/src/sound/win32_s.cpp
+++ b/src/sound/win32_s.cpp
@@ -63,7 +63,9 @@ const char *SoundDriver_Win32::Start(const char * const *parm)
wfex.nBlockAlign = (wfex.nChannels * wfex.wBitsPerSample) / 8;
wfex.nAvgBytesPerSec = wfex.nSamplesPerSec * wfex.nBlockAlign;
+ /* Limit buffer size to prevent overflows. */
_bufsize = GetDriverParamInt(parm, "bufsize", (GB(GetVersion(), 0, 8) > 5) ? 8192 : 4096);
+ _bufsize = min(_bufsize, UINT16_MAX);
try {
if (NULL == (_event = CreateEvent(NULL, FALSE, FALSE, NULL))) throw "Failed to create event";