From b910ae9886be0bdd1289ccff19899713865e6466 Mon Sep 17 00:00:00 2001
From: frosch <frosch@openttd.org>
Date: Sat, 3 Sep 2011 10:52:43 +0000
Subject: (svn r22878) -Fix (r22873-ish): Check range before casting to uint16.

---
 src/spriteloader/png.cpp | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/spriteloader/png.cpp b/src/spriteloader/png.cpp
index 27ff3cc9b..693623ead 100644
--- a/src/spriteloader/png.cpp
+++ b/src/spriteloader/png.cpp
@@ -106,13 +106,15 @@ static bool LoadPNG(SpriteLoader::Sprite *sprite, const char *filename, uint32 i
 			if (strcmp("y_offs", text_ptr[i].key) == 0) sprite->y_offs = strtol(text_ptr[i].text, NULL, 0);
 		}
 
-		sprite->height = png_get_image_height(png_ptr, info_ptr);
-		sprite->width  = png_get_image_width(png_ptr, info_ptr);
+		uint height = png_get_image_height(png_ptr, info_ptr);
+		uint width  = png_get_image_width(png_ptr, info_ptr);
 		/* Check if sprite dimensions aren't larger than what is allowed in GRF-files. */
-		if (sprite->height > UINT8_MAX || sprite->width > UINT16_MAX) {
+		if (height > UINT8_MAX || width > UINT16_MAX) {
 			png_destroy_read_struct(&png_ptr, &info_ptr, &end_info);
 			return false;
 		}
+		sprite->height = height;
+		sprite->width  = width;
 		sprite->AllocateData(sprite->width * sprite->height);
 	} else if (sprite->height != png_get_image_height(png_ptr, info_ptr) || sprite->width != png_get_image_width(png_ptr, info_ptr)) {
 		/* Make sure the mask image isn't larger than the sprite image. */
-- 
cgit v1.2.3-54-g00ecf