From 3b2a92ea97f56cdd2d1870c1ae4afeae01d3f48e Mon Sep 17 00:00:00 2001 From: rubidium Date: Sat, 23 Nov 2013 13:18:29 +0000 Subject: (svn r26062) -Fix: beef up checks against invalid data in highscore and language files --- src/highscore.cpp | 8 ++++---- src/strings.cpp | 7 ++++++- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/src/highscore.cpp b/src/highscore.cpp index 2ce2d9bda..b2dcf8e5f 100644 --- a/src/highscore.cpp +++ b/src/highscore.cpp @@ -164,10 +164,10 @@ void LoadFromHighScore() for (i = 0; i < SP_SAVED_HIGHSCORE_END; i++) { for (hs = _highscore_table[i]; hs != endof(_highscore_table[i]); hs++) { byte length; - if (fread(&length, sizeof(length), 1, fp) != 1 || - fread(hs->company, length, 1, fp) > 1 || // Yes... could be 0 bytes too - fread(&hs->score, sizeof(hs->score), 1, fp) != 1 || - fseek(fp, 2, SEEK_CUR) == -1) { // XXX - placeholder for hs->title, not saved anymore; compatibility + if (fread(&length, sizeof(length), 1, fp) != 1 || + fread(hs->company, min(lengthof(hs->company), length), 1, fp) > 1 || // Yes... could be 0 bytes too + fread(&hs->score, sizeof(hs->score), 1, fp) != 1 || + fseek(fp, 2, SEEK_CUR) == -1) { // XXX - placeholder for hs->title, not saved anymore; compatibility DEBUG(misc, 1, "Highscore corrupted"); i = SP_SAVED_HIGHSCORE_END; break; diff --git a/src/strings.cpp b/src/strings.cpp index 0a6b23902..c3916dcf7 100644 --- a/src/strings.cpp +++ b/src/strings.cpp @@ -1763,7 +1763,12 @@ bool ReadLanguagePack(const LanguageMetadata *lang) uint count = 0; for (uint i = 0; i < TAB_COUNT; i++) { - uint num = lang_pack->offsets[i]; + uint16 num = lang_pack->offsets[i]; + if (num > TAB_SIZE) { + free(lang_pack); + return false; + } + _langtab_start[i] = count; _langtab_num[i] = num; count += num; -- cgit v1.2.3-54-g00ecf