mirrors
/
OpenRCT2
mirror of https://github.com/OpenRCT2/OpenRCT2.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Validate more inputs to SawyerChunk handlers

This commit is contained in:
Michał Janiszewski 2017-08-03 00:29:22 +02:00
parent dabc52b036
commit e9e37d2aac
2 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/openrct2/rct12/SawyerChunkReader.cpp
View File

@ -82,6 +82,7 @@ std::shared_ptr<SawyerChunk> SawyerChunkReader::ReadChunk()
}
size_t uncompressedLength = sawyercoding_read_chunk_buffer(buffer, compressedData.get(), header, bufferSize);
Guard::Assert(uncompressedLength != 0, "Encountered zero-sized chunk!");
buffer = Memory::Reallocate(buffer, uncompressedLength);
if (buffer == nullptr)
{

8
src/openrct2/util/sawyercoding.c
View File

@ -21,7 +21,7 @@
static size_t decode_chunk_rle(const uint8* src_buffer, uint8* dst_buffer, size_t length);
static size_t decode_chunk_rle_with_size(const uint8* src_buffer, uint8* dst_buffer, size_t length, size_t dstSize);
static size_t decode_chunk_repeat(uint8 *buffer, size_t length);
static size_t decode_chunk_repeat(uint8 *buffer, size_t length, size_t dstLength);
static void decode_chunk_rotate(uint8 *buffer, size_t length);
static size_t encode_chunk_rle(const uint8 *src_buffer, uint8 *dst_buffer, size_t length);
@ -51,7 +51,7 @@ size_t sawyercoding_read_chunk_buffer(uint8 *dst_buffer, const uint8 *src_buffer
break;
case CHUNK_ENCODING_RLECOMPRESSED:
chunkHeader.length = (uint32)decode_chunk_rle_with_size(src_buffer, dst_buffer, chunkHeader.length, dst_buffer_size);
chunkHeader.length = (uint32)decode_chunk_repeat(dst_buffer, chunkHeader.length);
chunkHeader.length = (uint32)decode_chunk_repeat(dst_buffer, chunkHeader.length, dst_buffer_size);
break;
case CHUNK_ENCODING_ROTATE:
memcpy(dst_buffer, src_buffer, chunkHeader.length);
@ -271,7 +271,7 @@ static size_t decode_chunk_rle_with_size(const uint8* src_buffer, uint8* dst_buf
*
* rct2: 0x006769F1
*/
static size_t decode_chunk_repeat(uint8 *buffer, size_t length)
static size_t decode_chunk_repeat(uint8 *buffer, size_t length, size_t dstLength)
{
size_t i, count;
uint8 *src, *dst, *copyOffset;
@ -287,6 +287,8 @@ static size_t decode_chunk_repeat(uint8 *buffer, size_t length)
} else {
count = (src[i] & 7) + 1;
copyOffset = dst + (sint32)(src[i] >> 3) - 32;
assert(dst + count < buffer + dstLength);
assert(copyOffset + count < src + length);
memcpy(dst, copyOffset, count);
dst = (uint8*)((uintptr_t)dst + count);
}