From 9fd77742351b83f64da2f30ddd3726cb00fecf19 Mon Sep 17 00:00:00 2001
From: rubidium <rubidium@openttd.org>
Date: Thu, 19 Mar 2009 17:58:25 +0000
Subject: (svn r15767) -Fix: infinite loop when skipping sprites when a GRF is
 invalid (or truncated).

---
 src/spritecache.cpp | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/spritecache.cpp b/src/spritecache.cpp
index 0e7bb9550..20c52104a 100644
--- a/src/spritecache.cpp
+++ b/src/spritecache.cpp
@@ -80,8 +80,9 @@ static void CompactSpriteCache();
  * Skip the given amount of sprite graphics data.
  * @param type the type of sprite (compressed etc)
  * @param num the amount of sprites to skip
+ * @return true if the data could be correctly skipped.
  */
-void SkipSpriteData(byte type, uint16 num)
+bool SkipSpriteData(byte type, uint16 num)
 {
 	if (type & 2) {
 		FioSkipBytes(num);
@@ -90,6 +91,7 @@ void SkipSpriteData(byte type, uint16 num)
 			int8 i = FioReadByte();
 			if (i >= 0) {
 				int size = (i == 0) ? 0x80 : i;
+				if (size > num) return false;
 				num -= size;
 				FioSkipBytes(size);
 			} else {
@@ -99,6 +101,7 @@ void SkipSpriteData(byte type, uint16 num)
 			}
 		}
 	}
+	return true;
 }
 
 /**
@@ -120,9 +123,7 @@ static SpriteType ReadSpriteHeaderSkipData()
 	}
 
 	FioSkipBytes(7);
-	SkipSpriteData(type, num - 8);
-
-	return ST_NORMAL;
+	return SkipSpriteData(type, num - 8) ? ST_NORMAL : ST_INVALID;
 }
 
 /* Check if the given Sprite ID exists */
-- 
cgit v1.2.3-54-g00ecf