From 6c7cbb1d46d266d33e49bd42a52e483296313882 Mon Sep 17 00:00:00 2001
From: michi_cc <michi_cc@openttd.org>
Date: Fri, 2 Sep 2011 20:16:34 +0000
Subject: (svn r22873) -Fix [FS#4747]: Validate image dimensions before
 loading. (Based on patch by monoid)

---
 src/spriteloader/png.cpp | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'src/spriteloader/png.cpp')

diff --git a/src/spriteloader/png.cpp b/src/spriteloader/png.cpp
index d31184385..27ff3cc9b 100644
--- a/src/spriteloader/png.cpp
+++ b/src/spriteloader/png.cpp
@@ -108,7 +108,17 @@ static bool LoadPNG(SpriteLoader::Sprite *sprite, const char *filename, uint32 i
 
 		sprite->height = png_get_image_height(png_ptr, info_ptr);
 		sprite->width  = png_get_image_width(png_ptr, info_ptr);
+		/* Check if sprite dimensions aren't larger than what is allowed in GRF-files. */
+		if (sprite->height > UINT8_MAX || sprite->width > UINT16_MAX) {
+			png_destroy_read_struct(&png_ptr, &info_ptr, &end_info);
+			return false;
+		}
 		sprite->AllocateData(sprite->width * sprite->height);
+	} else if (sprite->height != png_get_image_height(png_ptr, info_ptr) || sprite->width != png_get_image_width(png_ptr, info_ptr)) {
+		/* Make sure the mask image isn't larger than the sprite image. */
+		DEBUG(misc, 0, "Ignoring mask for SpriteID %d as it isn't the same dimension as the masked sprite", id);
+		png_destroy_read_struct(&png_ptr, &info_ptr, &end_info);
+		return true;
 	}
 
 	bit_depth  = png_get_bit_depth(png_ptr, info_ptr);
@@ -116,6 +126,7 @@ static bool LoadPNG(SpriteLoader::Sprite *sprite, const char *filename, uint32 i
 
 	if (mask && (bit_depth != 8 || colour_type != PNG_COLOR_TYPE_PALETTE)) {
 		DEBUG(misc, 0, "Ignoring mask for SpriteID %d as it isn't a 8 bit palette image", id);
+		png_destroy_read_struct(&png_ptr, &info_ptr, &end_info);
 		return true;
 	}
 
-- 
cgit v1.2.3-54-g00ecf