From faf5e19aaedfa5ec70ddde2ba7be60909899616a Mon Sep 17 00:00:00 2001
From: yexo <yexo@openttd.org>
Date: Tue, 6 Apr 2010 21:16:36 +0000
Subject: (svn r19569) -Fix: possible buffer underflow in newgrf string code

---
 src/newgrf_text.cpp | 4 ++--
 src/newgrf_text.h   | 2 +-
 src/strings.cpp     | 3 ++-
 3 files changed, 5 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/newgrf_text.cpp b/src/newgrf_text.cpp
index 6cf10f1c8..a564e1917 100644
--- a/src/newgrf_text.cpp
+++ b/src/newgrf_text.cpp
@@ -636,7 +636,7 @@ void RewindTextRefStack()
  * @param argv  the OpenTTD stack of values
  * @return the string control code to "execute" now
  */
-uint RemapNewGRFStringControlCode(uint scc, char **buff, const char **str, int64 *argv)
+uint RemapNewGRFStringControlCode(uint scc, char *buf_start, char **buff, const char **str, int64 *argv)
 {
 	if (_newgrf_textrefstack->used) {
 		switch (scc) {
@@ -663,7 +663,7 @@ uint RemapNewGRFStringControlCode(uint scc, char **buff, const char **str, int64
 
 			case SCC_NEWGRF_ROTATE_TOP_4_WORDS:   _newgrf_textrefstack->RotateTop4Words(); break;
 			case SCC_NEWGRF_PUSH_WORD:            _newgrf_textrefstack->PushWord(Utf8Consume(str)); break;
-			case SCC_NEWGRF_UNPRINT:              *buff -= Utf8Consume(str); break;
+			case SCC_NEWGRF_UNPRINT:              *buff = max(*buff - Utf8Consume(str), buf_start); break;
 
 			case SCC_NEWGRF_PRINT_STRING_ID:
 				*argv = TTDPStringIDToOTTDStringIDMapping(_newgrf_textrefstack->PopUnsignedWord());
diff --git a/src/newgrf_text.h b/src/newgrf_text.h
index d75246e25..bfd308ca3 100644
--- a/src/newgrf_text.h
+++ b/src/newgrf_text.h
@@ -28,7 +28,7 @@ void StopTextRefStackUsage();
 void SwitchToNormalRefStack();
 void SwitchToErrorRefStack();
 void RewindTextRefStack();
-uint RemapNewGRFStringControlCode(uint scc, char **buff, const char **str, int64 *argv);
+uint RemapNewGRFStringControlCode(uint scc, char *buf_start, char **buff, const char **str, int64 *argv);
 
 StringID TTDPStringIDToOTTDStringIDMapping(StringID string);
 
diff --git a/src/strings.cpp b/src/strings.cpp
index 59983a539..0d8b48eaf 100644
--- a/src/strings.cpp
+++ b/src/strings.cpp
@@ -554,11 +554,12 @@ static char *FormatString(char *buff, const char *str, int64 *argv, uint casei,
 	WChar b;
 	int64 *argv_orig = argv;
 	uint modifier = 0;
+	char *buf_start = buff;
 
 	while ((b = Utf8Consume(&str)) != '\0') {
 		if (SCC_NEWGRF_FIRST <= b && b <= SCC_NEWGRF_LAST) {
 			/* We need to pass some stuff as it might be modified; oh boy. */
-			b = RemapNewGRFStringControlCode(b, &buff, &str, argv);
+			b = RemapNewGRFStringControlCode(b, buf_start, &buff, &str, argv);
 			if (b == 0) continue;
 		}
 
-- 
cgit v1.2.3-54-g00ecf