dave/openttd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Discard invalid/negative sprite sizes in LoadSpriteV1

Browse Source 
This is to avoid sign-conversion to a huge unsigned value
which is passed to malloc.
This commit is contained in:
Jonathan G Rennison
2019-01-14 18:42:51 +00:00
parent e3d167f9f0
commit d489ee5d9c
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/spriteloader/grf.cpp
View File

@@ -245,6 +245,10 @@ uint8 LoadSpriteV1(SpriteLoader::Sprite *sprite, uint file_slot, size_t file_pos
/* 0x02 indicates it is a compressed sprite, so we can't rely on 'num' to be valid.
* In case it is uncompressed, the size is 'num' - 8 (header-size). */
num = (type & 0x02) ? sprite[zoom_lvl].width * sprite[zoom_lvl].height : num - 8;
if (num < 0) {
WarnCorruptSprite(file_slot, file_pos, __LINE__);
return 0;
}
if (DecodeSingleSprite(&sprite[zoom_lvl], file_slot, file_pos, sprite_type, num, type, zoom_lvl, SCC_PAL, 1)) return 1 << zoom_lvl;