From 807b833e4d82c7fc2d19e65d4f13f041f4669844 Mon Sep 17 00:00:00 2001 From: rubidium Date: Wed, 8 Aug 2007 14:18:05 +0000 Subject: (svn r10827) -Fix [FS#1112]: out of bounds access in corner case of list allocations of vehicles. --- src/oldpool.h | 36 +++++++++++++++++++++++++----------- 1 file changed, 25 insertions(+), 11 deletions(-) diff --git a/src/oldpool.h b/src/oldpool.h index caeabccab..9f79d632e 100644 --- a/src/oldpool.h +++ b/src/oldpool.h @@ -234,22 +234,14 @@ struct PoolItem { return false; } -protected: - /** - * Allocate a pool item; possibly allocate a new block in the pool. - * @return the allocated pool item (or NULL when the pool is full). - */ - static inline T *AllocateRaw() - { - return AllocateRaw(Tpool->first_free_index); - } - +private: /** * Allocate a pool item; possibly allocate a new block in the pool. * @param first the first pool item to start searching + * @pre first <= Tpool->GetSize() * @return the allocated pool item (or NULL when the pool is full). */ - static inline T *AllocateRaw(uint &first) + static inline T *AllocateSafeRaw(uint &first) { uint last_minus_one = Tpool->GetSize() - 1; @@ -270,6 +262,28 @@ protected: return NULL; } +protected: + /** + * Allocate a pool item; possibly allocate a new block in the pool. + * @return the allocated pool item (or NULL when the pool is full). + */ + static inline T *AllocateRaw() + { + return AllocateSafeRaw(Tpool->first_free_index); + } + + /** + * Allocate a pool item; possibly allocate a new block in the pool. + * @param first the first pool item to start searching + * @return the allocated pool item (or NULL when the pool is full). + */ + static inline T *AllocateRaw(uint &first) + { + if (first >= Tpool->GetSize() && !Tpool->AddBlockToPool()) return NULL; + + return AllocateSafeRaw(first); + } + /** * Are we cleaning this pool? * @return true if we are -- cgit v1.2.3-70-g09d2