From da55286c2c83a554130e7712343ddcd2f3f063c7 Mon Sep 17 00:00:00 2001 From: Milek7 Date: Sat, 17 Apr 2021 20:19:18 +0200 Subject: Fix: Corrupted savegame could crash the game by providing invalid gamelog enums. (#9045) --- src/saveload/gamelog_sl.cpp | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/saveload/gamelog_sl.cpp b/src/saveload/gamelog_sl.cpp index 6bff1b154..d68297c9a 100644 --- a/src/saveload/gamelog_sl.cpp +++ b/src/saveload/gamelog_sl.cpp @@ -107,8 +107,11 @@ static void Load_GLOG_common(LoggedAction *&gamelog_action, uint &gamelog_action assert(gamelog_action == nullptr); assert(gamelog_actions == 0); - GamelogActionType at; - while ((at = (GamelogActionType)SlReadByte()) != GLAT_NONE) { + byte type; + while ((type = SlReadByte()) != GLAT_NONE) { + if (type >= GLAT_END) SlErrorCorrupt("Invalid gamelog action type"); + GamelogActionType at = (GamelogActionType)type; + gamelog_action = ReallocT(gamelog_action, gamelog_actions + 1); LoggedAction *la = &gamelog_action[gamelog_actions++]; @@ -118,8 +121,10 @@ static void Load_GLOG_common(LoggedAction *&gamelog_action, uint &gamelog_action la->change = nullptr; la->changes = 0; - GamelogChangeType ct; - while ((ct = (GamelogChangeType)SlReadByte()) != GLCT_NONE) { + while ((type = SlReadByte()) != GLCT_NONE) { + if (type >= GLCT_END) SlErrorCorrupt("Invalid gamelog change type"); + GamelogChangeType ct = (GamelogChangeType)type; + la->change = ReallocT(la->change, la->changes + 1); LoggedChange *lc = &la->change[la->changes++]; @@ -127,8 +132,6 @@ static void Load_GLOG_common(LoggedAction *&gamelog_action, uint &gamelog_action memset(lc, 0, sizeof(*lc)); lc->ct = ct; - assert((uint)ct < GLCT_END); - SlObject(lc, _glog_desc[ct]); } } -- cgit v1.2.3-54-g00ecf