Mercurial > hg > openttd

changeset 17932:62a4bcaf165b draft

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
(svn r22737) -Fix [FS#4717]: some corrupted savegames could crash OpenTTD instead of showing the "savegame corrupted" message
author rubidium <rubidium@openttd.org>
date Fri, 12 Aug 2011 18:36:47 +0000
parents 61764f9945a6
children deb19d948306
files src/saveload/cheat_sl.cpp src/saveload/company_sl.cpp src/saveload/strings_sl.cpp
diffstat 3 files changed, 8 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/saveload/cheat_sl.cpp
+++ b/src/saveload/cheat_sl.cpp
@@ -38,6 +38,8 @@
 {
 	Cheat *cht = (Cheat*)&_cheats;
 	size_t count = SlGetFieldLength() / 2;
+	/* Cannot use lengthof because _cheats is of type Cheats, not Cheat */
+	if (count > sizeof(_cheats) / sizeof(Cheat)) SlErrorCorrupt("Too many cheat values");
 
 	for (uint i = 0; i < count; i++) {
 		cht[i].been_used = (SlReadByte() != 0);
--- a/src/saveload/company_sl.cpp
+++ b/src/saveload/company_sl.cpp
@@ -283,6 +283,7 @@
 	SlObject(&cprops->cur_economy, _company_economy_desc);
 
 	/* Write old economy entries. */
+	if (cprops->num_valid_stat_ent > lengthof(cprops->old_economy)) SlErrorCorrupt("Too many old economy entries");
 	for (i = 0; i < cprops->num_valid_stat_ent; i++) {
 		SlObject(&cprops->old_economy[i], _company_economy_desc);
 	}
--- a/src/saveload/strings_sl.cpp
+++ b/src/saveload/strings_sl.cpp
@@ -126,7 +126,12 @@
 	int index;
 
 	while ((index = SlIterateArray()) != -1) {
+		if (index >= NUM_OLD_STRINGS) SlErrorCorrupt("Invalid old name index");
+		if (SlGetFieldLength() > (uint)LEN_OLD_STRINGS) SlErrorCorrupt("Invalid old name length");
+
 		SlArray(&_old_name_array[LEN_OLD_STRINGS * index], SlGetFieldLength(), SLE_UINT8);
+		/* Make sure the old name is null terminated */
+		_old_name_array[LEN_OLD_STRINGS * index + LEN_OLD_STRINGS - 1] = '\0';
 	}
 }