diff options
| author | rubidium <rubidium@openttd.org> | 2013-11-23 13:18:29 +0000 |
|---|---|---|
| committer | rubidium <rubidium@openttd.org> | 2013-11-23 13:18:29 +0000 |
| commit | 3b2a92ea97f56cdd2d1870c1ae4afeae01d3f48e (patch) | |
| tree | ed31b257e1cf33132020e3aa737dd3acc38aede7 /src | |
| parent | 78a316d349f02c76b89c6fd7597e7013c062133a (diff) | |
| download | openttd-3b2a92ea97f56cdd2d1870c1ae4afeae01d3f48e.tar.xz | |
(svn r26062) -Fix: beef up checks against invalid data in highscore and language files
Diffstat (limited to 'src')
| -rw-r--r-- | src/highscore.cpp | 8 | ||||
| -rw-r--r-- | src/strings.cpp | 7 |
2 files changed, 10 insertions, 5 deletions
diff --git a/src/highscore.cpp b/src/highscore.cpp index 2ce2d9bda..b2dcf8e5f 100644 --- a/src/highscore.cpp +++ b/src/highscore.cpp @@ -164,10 +164,10 @@ void LoadFromHighScore() for (i = 0; i < SP_SAVED_HIGHSCORE_END; i++) { for (hs = _highscore_table[i]; hs != endof(_highscore_table[i]); hs++) { byte length; - if (fread(&length, sizeof(length), 1, fp) != 1 || - fread(hs->company, length, 1, fp) > 1 || // Yes... could be 0 bytes too - fread(&hs->score, sizeof(hs->score), 1, fp) != 1 || - fseek(fp, 2, SEEK_CUR) == -1) { // XXX - placeholder for hs->title, not saved anymore; compatibility + if (fread(&length, sizeof(length), 1, fp) != 1 || + fread(hs->company, min<int>(lengthof(hs->company), length), 1, fp) > 1 || // Yes... could be 0 bytes too + fread(&hs->score, sizeof(hs->score), 1, fp) != 1 || + fseek(fp, 2, SEEK_CUR) == -1) { // XXX - placeholder for hs->title, not saved anymore; compatibility DEBUG(misc, 1, "Highscore corrupted"); i = SP_SAVED_HIGHSCORE_END; break; diff --git a/src/strings.cpp b/src/strings.cpp index 0a6b23902..c3916dcf7 100644 --- a/src/strings.cpp +++ b/src/strings.cpp @@ -1763,7 +1763,12 @@ bool ReadLanguagePack(const LanguageMetadata *lang) uint count = 0; for (uint i = 0; i < TAB_COUNT; i++) { - uint num = lang_pack->offsets[i]; + uint16 num = lang_pack->offsets[i]; + if (num > TAB_SIZE) { + free(lang_pack); + return false; + } + _langtab_start[i] = count; _langtab_num[i] = num; count += num; |