From e13d6da81fbb3aa8d45e6776fd3d8b388cb6fb61 Mon Sep 17 00:00:00 2001
From: Ted John <ted@brambles.org>
Date: Mon, 10 Dec 2018 19:54:54 +0000
Subject: [PATCH 1/2] Prevent possible stack overflow if zoom offset is 0

---
 src/openrct2/object/ObjectJsonHelpers.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openrct2/object/ObjectJsonHelpers.cpp b/src/openrct2/object/ObjectJsonHelpers.cpp
index 4dc75528df..a1d25445f1 100644
--- a/src/openrct2/object/ObjectJsonHelpers.cpp
+++ b/src/openrct2/object/ObjectJsonHelpers.cpp
@@ -69,7 +69,7 @@ namespace ObjectJsonHelpers
                 g1 = *orig;
                 g1.offset = (uint8_t*)std::malloc(length);
                 std::memcpy(g1.offset, orig->offset, length);
-                if (g1.flags & G1_FLAG_HAS_ZOOM_SPRITE)
+                if ((g1.flags & G1_FLAG_HAS_ZOOM_SPRITE) && g1.zoomed_offset != 0)
                 {
                     // Fetch image for next zoom level
                     next_zoom = std::make_unique<RequiredImage>((uint32_t)(idx - g1.zoomed_offset), getter);

From 7c3401603d087a7857b04d0fd8a86400e0e3fc39 Mon Sep 17 00:00:00 2001
From: Ted John <ted@brambles.org>
Date: Mon, 10 Dec 2018 19:57:27 +0000
Subject: [PATCH 2/2] Change mallocs to new[]

---
 src/openrct2/object/ObjectJsonHelpers.cpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/openrct2/object/ObjectJsonHelpers.cpp b/src/openrct2/object/ObjectJsonHelpers.cpp
index a1d25445f1..c7da2f99b1 100644
--- a/src/openrct2/object/ObjectJsonHelpers.cpp
+++ b/src/openrct2/object/ObjectJsonHelpers.cpp
@@ -55,7 +55,7 @@ namespace ObjectJsonHelpers
         {
             auto length = g1_calculate_data_size(&orig);
             g1 = orig;
-            g1.offset = (uint8_t*)std::malloc(length);
+            g1.offset = new uint8_t[length];
             std::memcpy(g1.offset, orig.offset, length);
             g1.flags &= ~G1_FLAG_HAS_ZOOM_SPRITE;
         }
@@ -67,7 +67,7 @@ namespace ObjectJsonHelpers
             {
                 auto length = g1_calculate_data_size(orig);
                 g1 = *orig;
-                g1.offset = (uint8_t*)std::malloc(length);
+                g1.offset = new uint8_t[length];
                 std::memcpy(g1.offset, orig->offset, length);
                 if ((g1.flags & G1_FLAG_HAS_ZOOM_SPRITE) && g1.zoomed_offset != 0)
                 {
@@ -84,7 +84,7 @@ namespace ObjectJsonHelpers
 
         ~RequiredImage()
         {
-            std::free(g1.offset);
+            delete[] g1.offset;
         }
     };