From 3a3162865b3174bddcc295fd4bd4eb5398a50ea5 Mon Sep 17 00:00:00 2001
From: smatz <smatz@openttd.org>
Date: Mon, 14 Jan 2013 21:16:56 +0000
Subject: (svn r24915) -Fix: Several out-of-bounds reads

---
 src/cargotype.h       | 4 ++--
 src/highscore_gui.cpp | 2 +-
 src/strings.cpp       | 8 ++++----
 src/widget.cpp        | 2 ++
 4 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/src/cargotype.h b/src/cargotype.h
index ae38dcb25..fee461d7f 100644
--- a/src/cargotype.h
+++ b/src/cargotype.h
@@ -163,13 +163,13 @@ static inline bool IsCargoInClass(CargoID c, CargoClass cc)
  * @param var Reference getting the cargospec.
  * @see CargoSpec
  */
-#define FOR_ALL_SORTED_CARGOSPECS(var) for (uint8 index = 0; var = _sorted_cargo_specs[index], index < _sorted_cargo_specs_size; index++)
+#define FOR_ALL_SORTED_CARGOSPECS(var) for (uint8 index = 0; index < _sorted_cargo_specs_size && (var = _sorted_cargo_specs[index], true) ; index++)
 
 /**
  * Loop header for iterating over 'real' cargoes, sorted by name. Phony cargoes like regearing cargoes are skipped.
  * @param var Reference getting the cargospec.
  * @see CargoSpec
  */
-#define FOR_ALL_SORTED_STANDARD_CARGOSPECS(var) for (uint8 index = 0; var = _sorted_cargo_specs[index], index < _sorted_standard_cargo_specs_size; index++)
+#define FOR_ALL_SORTED_STANDARD_CARGOSPECS(var) for (uint8 index = 0; index < _sorted_standard_cargo_specs_size && (var = _sorted_cargo_specs[index], true); index++)
 
 #endif /* CARGOTYPE_H */
diff --git a/src/highscore_gui.cpp b/src/highscore_gui.cpp
index 079b16e7f..768b32e49 100644
--- a/src/highscore_gui.cpp
+++ b/src/highscore_gui.cpp
@@ -200,7 +200,7 @@ struct HighScoreWindow : EndGameHighScoreBaseWindow {
 };
 
 static const NWidgetPart _nested_highscore_widgets[] = {
-	NWidget(WWT_PANEL, COLOUR_END, WID_H_BACKGROUND), SetMinimalSize(641, 481), SetResize(1, 1), EndContainer(),
+	NWidget(WWT_PANEL, COLOUR_BROWN, WID_H_BACKGROUND), SetMinimalSize(641, 481), SetResize(1, 1), EndContainer(),
 };
 
 static const WindowDesc _highscore_desc(
diff --git a/src/strings.cpp b/src/strings.cpp
index 0fd9b5b41..1e6a0be99 100644
--- a/src/strings.cpp
+++ b/src/strings.cpp
@@ -2063,12 +2063,12 @@ class LanguagePackGlyphSearcher : public MissingGlyphSearcher {
 	{
 		if (this->i >= TAB_COUNT) return NULL;
 
-		const char *ret = _langpack_offs[_langtab_start[i] + j];
+		const char *ret = _langpack_offs[_langtab_start[this->i] + this->j];
 
 		this->j++;
-		while (this->j >= _langtab_num[this->i] && this->i < TAB_COUNT) {
-			i++;
-			j = 0;
+		while (this->i < TAB_COUNT && this->j >= _langtab_num[this->i]) {
+			this->i++;
+			this->j = 0;
 		}
 
 		return ret;
diff --git a/src/widget.cpp b/src/widget.cpp
index fc6b88101..c3f9eca29 100644
--- a/src/widget.cpp
+++ b/src/widget.cpp
@@ -175,6 +175,8 @@ int GetWidgetFromPos(const Window *w, int x, int y)
  */
 void DrawFrameRect(int left, int top, int right, int bottom, Colours colour, FrameFlags flags)
 {
+	assert(colour < COLOUR_END);
+
 	uint dark         = _colour_gradient[colour][3];
 	uint medium_dark  = _colour_gradient[colour][5];
 	uint medium_light = _colour_gradient[colour][6];
-- 
cgit v1.2.3-54-g00ecf