From 70b2093ddb18bfffff5d2f80e29ce29aaa242478 Mon Sep 17 00:00:00 2001
From: rubidium <rubidium@openttd.org>
Date: Tue, 26 Nov 2013 22:03:56 +0000
Subject: [PATCH] (svn r26132) -Fix-ish: prevent issues due to overflowing
 multiplications by limiting the size of full zoom sprites to about 32kix32ki

---
 src/spriteloader/grf.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/spriteloader/grf.cpp b/src/spriteloader/grf.cpp
index 2de58dc6fe..678ebb79a6 100644
--- a/src/spriteloader/grf.cpp
+++ b/src/spriteloader/grf.cpp
@@ -235,6 +235,11 @@ uint8 LoadSpriteV1(SpriteLoader::Sprite *sprite, uint8 file_slot, size_t file_po
 	sprite[zoom_lvl].x_offs = FioReadWord();
 	sprite[zoom_lvl].y_offs = FioReadWord();
 
+	if (sprite[zoom_lvl].width > INT16_MAX) {
+		WarnCorruptSprite(file_slot, file_pos, __LINE__);
+		return 0;
+	}
+
 	/* 0x02 indicates it is a compressed sprite, so we can't rely on 'num' to be valid.
 	 * In case it is uncompressed, the size is 'num' - 8 (header-size). */
 	num = (type & 0x02) ? sprite[zoom_lvl].width * sprite[zoom_lvl].height : num - 8;
@@ -283,6 +288,11 @@ uint8 LoadSpriteV2(SpriteLoader::Sprite *sprite, uint8 file_slot, size_t file_po
 			sprite[zoom_lvl].x_offs = FioReadWord();
 			sprite[zoom_lvl].y_offs = FioReadWord();
 
+			if (sprite[zoom_lvl].width > INT16_MAX || sprite[zoom_lvl].height > INT16_MAX) {
+				WarnCorruptSprite(file_slot, file_pos, __LINE__);
+				return 0;
+			}
+
 			/* Mask out colour information. */
 			type = type & ~SCC_MASK;