diff options
author | michi_cc <michi_cc@openttd.org> | 2011-09-02 20:16:34 +0000 |
---|---|---|
committer | michi_cc <michi_cc@openttd.org> | 2011-09-02 20:16:34 +0000 |
commit | 6c7cbb1d46d266d33e49bd42a52e483296313882 (patch) | |
tree | 4167142f752c1d145a121109067d3cf6844b0b8c /src/spriteloader | |
parent | 655d45e7d391582fb67c83f109e69bcd027bdec6 (diff) | |
download | openttd-6c7cbb1d46d266d33e49bd42a52e483296313882.tar.xz |
(svn r22873) -Fix [FS#4747]: Validate image dimensions before loading. (Based on patch by monoid)
Diffstat (limited to 'src/spriteloader')
-rw-r--r-- | src/spriteloader/png.cpp | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/src/spriteloader/png.cpp b/src/spriteloader/png.cpp index d31184385..27ff3cc9b 100644 --- a/src/spriteloader/png.cpp +++ b/src/spriteloader/png.cpp @@ -108,7 +108,17 @@ static bool LoadPNG(SpriteLoader::Sprite *sprite, const char *filename, uint32 i sprite->height = png_get_image_height(png_ptr, info_ptr); sprite->width = png_get_image_width(png_ptr, info_ptr); + /* Check if sprite dimensions aren't larger than what is allowed in GRF-files. */ + if (sprite->height > UINT8_MAX || sprite->width > UINT16_MAX) { + png_destroy_read_struct(&png_ptr, &info_ptr, &end_info); + return false; + } sprite->AllocateData(sprite->width * sprite->height); + } else if (sprite->height != png_get_image_height(png_ptr, info_ptr) || sprite->width != png_get_image_width(png_ptr, info_ptr)) { + /* Make sure the mask image isn't larger than the sprite image. */ + DEBUG(misc, 0, "Ignoring mask for SpriteID %d as it isn't the same dimension as the masked sprite", id); + png_destroy_read_struct(&png_ptr, &info_ptr, &end_info); + return true; } bit_depth = png_get_bit_depth(png_ptr, info_ptr); @@ -116,6 +126,7 @@ static bool LoadPNG(SpriteLoader::Sprite *sprite, const char *filename, uint32 i if (mask && (bit_depth != 8 || colour_type != PNG_COLOR_TYPE_PALETTE)) { DEBUG(misc, 0, "Ignoring mask for SpriteID %d as it isn't a 8 bit palette image", id); + png_destroy_read_struct(&png_ptr, &info_ptr, &end_info); return true; } |