summaryrefslogtreecommitdiff
path: root/src/spriteloader
diff options
context:
space:
mode:
authormichi_cc <michi_cc@openttd.org>2011-09-02 20:16:34 +0000
committermichi_cc <michi_cc@openttd.org>2011-09-02 20:16:34 +0000
commit6c7cbb1d46d266d33e49bd42a52e483296313882 (patch)
tree4167142f752c1d145a121109067d3cf6844b0b8c /src/spriteloader
parent655d45e7d391582fb67c83f109e69bcd027bdec6 (diff)
downloadopenttd-6c7cbb1d46d266d33e49bd42a52e483296313882.tar.xz
(svn r22873) -Fix [FS#4747]: Validate image dimensions before loading. (Based on patch by monoid)
Diffstat (limited to 'src/spriteloader')
-rw-r--r--src/spriteloader/png.cpp11
1 files changed, 11 insertions, 0 deletions
diff --git a/src/spriteloader/png.cpp b/src/spriteloader/png.cpp
index d31184385..27ff3cc9b 100644
--- a/src/spriteloader/png.cpp
+++ b/src/spriteloader/png.cpp
@@ -108,7 +108,17 @@ static bool LoadPNG(SpriteLoader::Sprite *sprite, const char *filename, uint32 i
sprite->height = png_get_image_height(png_ptr, info_ptr);
sprite->width = png_get_image_width(png_ptr, info_ptr);
+ /* Check if sprite dimensions aren't larger than what is allowed in GRF-files. */
+ if (sprite->height > UINT8_MAX || sprite->width > UINT16_MAX) {
+ png_destroy_read_struct(&png_ptr, &info_ptr, &end_info);
+ return false;
+ }
sprite->AllocateData(sprite->width * sprite->height);
+ } else if (sprite->height != png_get_image_height(png_ptr, info_ptr) || sprite->width != png_get_image_width(png_ptr, info_ptr)) {
+ /* Make sure the mask image isn't larger than the sprite image. */
+ DEBUG(misc, 0, "Ignoring mask for SpriteID %d as it isn't the same dimension as the masked sprite", id);
+ png_destroy_read_struct(&png_ptr, &info_ptr, &end_info);
+ return true;
}
bit_depth = png_get_bit_depth(png_ptr, info_ptr);
@@ -116,6 +126,7 @@ static bool LoadPNG(SpriteLoader::Sprite *sprite, const char *filename, uint32 i
if (mask && (bit_depth != 8 || colour_type != PNG_COLOR_TYPE_PALETTE)) {
DEBUG(misc, 0, "Ignoring mask for SpriteID %d as it isn't a 8 bit palette image", id);
+ png_destroy_read_struct(&png_ptr, &info_ptr, &end_info);
return true;
}