From d489ee5d9c8caa68a547483901021547ac61bec1 Mon Sep 17 00:00:00 2001 From: Jonathan G Rennison Date: Mon, 14 Jan 2019 18:42:51 +0000 Subject: [PATCH] Discard invalid/negative sprite sizes in LoadSpriteV1 This is to avoid sign-conversion to a huge unsigned value which is passed to malloc. --- src/spriteloader/grf.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/spriteloader/grf.cpp b/src/spriteloader/grf.cpp index 0f54a9eadc..a07ab2a041 100644 --- a/src/spriteloader/grf.cpp +++ b/src/spriteloader/grf.cpp @@ -245,6 +245,10 @@ uint8 LoadSpriteV1(SpriteLoader::Sprite *sprite, uint file_slot, size_t file_pos /* 0x02 indicates it is a compressed sprite, so we can't rely on 'num' to be valid. * In case it is uncompressed, the size is 'num' - 8 (header-size). */ num = (type & 0x02) ? sprite[zoom_lvl].width * sprite[zoom_lvl].height : num - 8; + if (num < 0) { + WarnCorruptSprite(file_slot, file_pos, __LINE__); + return 0; + } if (DecodeSingleSprite(&sprite[zoom_lvl], file_slot, file_pos, sprite_type, num, type, zoom_lvl, SCC_PAL, 1)) return 1 << zoom_lvl;