mirror of https://github.com/OpenTTD/OpenTTD.git
(svn r22874) -Fix [FS#4747]: Check size of various buffers before allocation. (monoid)
This commit is contained in:
parent
6c7cbb1d46
commit
65637d8941
|
@ -1034,6 +1034,9 @@ const Sprite *GetGlyph(FontSize size, WChar key)
|
||||||
width = max(1, slot->bitmap.width + (size == FS_NORMAL));
|
width = max(1, slot->bitmap.width + (size == FS_NORMAL));
|
||||||
height = max(1, slot->bitmap.rows + (size == FS_NORMAL));
|
height = max(1, slot->bitmap.rows + (size == FS_NORMAL));
|
||||||
|
|
||||||
|
/* Limit glyph size to prevent overflows later on. */
|
||||||
|
if (width > 256 || height > 256) usererror("Font glyph is too large");
|
||||||
|
|
||||||
/* FreeType has rendered the glyph, now we allocate a sprite and copy the image into it */
|
/* FreeType has rendered the glyph, now we allocate a sprite and copy the image into it */
|
||||||
sprite.AllocateData(width * height);
|
sprite.AllocateData(width * height);
|
||||||
sprite.width = width;
|
sprite.width = width;
|
||||||
|
|
|
@ -596,11 +596,12 @@ int ttd_main(int argc, char *argv[])
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* The width and height must be at least 1 pixel and width times
|
* The width and height must be at least 1 pixel and width times
|
||||||
* height must still fit within a 32 bits integer, this way all
|
* height times bytes per pixel must still fit within a 32 bits
|
||||||
* internal drawing routines work correctly.
|
* integer, even for 32 bpp video modes. This way all internal
|
||||||
|
* drawing routines work correctly.
|
||||||
*/
|
*/
|
||||||
_cur_resolution.width = ClampU(_cur_resolution.width, 1, UINT16_MAX);
|
_cur_resolution.width = ClampU(_cur_resolution.width, 1, UINT16_MAX / 2);
|
||||||
_cur_resolution.height = ClampU(_cur_resolution.height, 1, UINT16_MAX);
|
_cur_resolution.height = ClampU(_cur_resolution.height, 1, UINT16_MAX / 2);
|
||||||
|
|
||||||
/* enumerate language files */
|
/* enumerate language files */
|
||||||
InitializeLanguagePacks();
|
InitializeLanguagePacks();
|
||||||
|
|
|
@ -118,6 +118,9 @@ namespace SQConvert {
|
||||||
|
|
||||||
template <> inline Array *GetParam(ForceType<Array *>, HSQUIRRELVM vm, int index, SQAutoFreePointers *ptr)
|
template <> inline Array *GetParam(ForceType<Array *>, HSQUIRRELVM vm, int index, SQAutoFreePointers *ptr)
|
||||||
{
|
{
|
||||||
|
/* Sanity check of the size. */
|
||||||
|
if (sq_getsize(vm, index) > UINT16_MAX) throw sq_throwerror(vm, _SC("an array used as parameter to a function is too large"));
|
||||||
|
|
||||||
SQObject obj;
|
SQObject obj;
|
||||||
sq_getstackobj(vm, index, &obj);
|
sq_getstackobj(vm, index, &obj);
|
||||||
sq_pushobject(vm, obj);
|
sq_pushobject(vm, obj);
|
||||||
|
|
|
@ -110,7 +110,8 @@ static bool SetBankSource(MixerChannel *mc, const SoundEntry *sound)
|
||||||
{
|
{
|
||||||
assert(sound != NULL);
|
assert(sound != NULL);
|
||||||
|
|
||||||
if (sound->file_size == 0) return false;
|
/* Check for valid sound size. */
|
||||||
|
if (sound->file_size == 0 || sound->file_size > ((size_t)-1) - 2) return false;
|
||||||
|
|
||||||
int8 *mem = MallocT<int8>(sound->file_size + 2);
|
int8 *mem = MallocT<int8>(sound->file_size + 2);
|
||||||
/* Add two extra bytes so rate conversion can read these
|
/* Add two extra bytes so rate conversion can read these
|
||||||
|
|
|
@ -63,7 +63,9 @@ const char *SoundDriver_Win32::Start(const char * const *parm)
|
||||||
wfex.nBlockAlign = (wfex.nChannels * wfex.wBitsPerSample) / 8;
|
wfex.nBlockAlign = (wfex.nChannels * wfex.wBitsPerSample) / 8;
|
||||||
wfex.nAvgBytesPerSec = wfex.nSamplesPerSec * wfex.nBlockAlign;
|
wfex.nAvgBytesPerSec = wfex.nSamplesPerSec * wfex.nBlockAlign;
|
||||||
|
|
||||||
|
/* Limit buffer size to prevent overflows. */
|
||||||
_bufsize = GetDriverParamInt(parm, "bufsize", (GB(GetVersion(), 0, 8) > 5) ? 8192 : 4096);
|
_bufsize = GetDriverParamInt(parm, "bufsize", (GB(GetVersion(), 0, 8) > 5) ? 8192 : 4096);
|
||||||
|
_bufsize = min(_bufsize, UINT16_MAX);
|
||||||
|
|
||||||
try {
|
try {
|
||||||
if (NULL == (_event = CreateEvent(NULL, FALSE, FALSE, NULL))) throw "Failed to create event";
|
if (NULL == (_event = CreateEvent(NULL, FALSE, FALSE, NULL))) throw "Failed to create event";
|
||||||
|
|
Loading…
Reference in New Issue