Mercurial > hg > openttd
changeset 8870:a928bf4a81c7 draft
(svn r12637) -Fix [FS#1913]: possible NULL pointer dereference when reading some NewGRF data.
| author | rubidium <rubidium@openttd.org> |
|---|---|
| date | Wed, 09 Apr 2008 14:05:50 +0000 |
| parents | 202439e9e12c |
| children | 24e1116b32f6 |
| files | src/network/core/config.h src/network/core/udp.cpp |
| diffstat | 2 files changed, 5 insertions(+), 7 deletions(-) [+] |
line wrap: on
line diff
--- a/src/network/core/config.h +++ b/src/network/core/config.h @@ -38,14 +38,9 @@ /** * Maximum number of GRFs that can be sent. * This value is related to number of handles (files) OpenTTD can open. - * This is currently 64 and about 10 are currently used when OpenTTD loads - * without any NewGRFs. Therefore one can only load about 55 NewGRFs, so - * this is not a limit, but rather a way to easily check whether the limit - * imposed by the handle count is reached. Secondly it isn't possible to - * send much more GRF IDs + MD5sums in the PACKET_UDP_SERVER_RESPONSE, due - * to the limited size of UDP packets. + * This is currently 64. Two are used for configuration and sound. */ - NETWORK_MAX_GRF_COUNT = 55, + NETWORK_MAX_GRF_COUNT = 62, NETWORK_NUM_LANGUAGES = 36, ///< Number of known languages (to the network protocol) + 1 for 'any'. /**
--- a/src/network/core/udp.cpp +++ b/src/network/core/udp.cpp @@ -221,6 +221,9 @@ uint i; uint num_grfs = p->Recv_uint8(); + /* Broken/bad data. It cannot have that many NewGRFs. */ + if (num_grfs > NETWORK_MAX_GRF_COUNT) return; + for (i = 0; i < num_grfs; i++) { GRFConfig *c = CallocT<GRFConfig>(1); this->Recv_GRFIdentifier(p, c);