From 81074e0ca2b8c7fa470db5b657998ac614a810de Mon Sep 17 00:00:00 2001 From: rubidium Date: Fri, 12 Aug 2011 18:36:47 +0000 Subject: [PATCH] (svn r22737) -Fix [FS#4717]: some corrupted savegames could crash OpenTTD instead of showing the "savegame corrupted" message --- src/saveload/cheat_sl.cpp | 2 ++ src/saveload/company_sl.cpp | 1 + src/saveload/strings_sl.cpp | 5 +++++ 3 files changed, 8 insertions(+) diff --git a/src/saveload/cheat_sl.cpp b/src/saveload/cheat_sl.cpp index 724c945df6..aa5648a888 100644 --- a/src/saveload/cheat_sl.cpp +++ b/src/saveload/cheat_sl.cpp @@ -38,6 +38,8 @@ static void Load_CHTS() { Cheat *cht = (Cheat*)&_cheats; size_t count = SlGetFieldLength() / 2; + /* Cannot use lengthof because _cheats is of type Cheats, not Cheat */ + if (count > sizeof(_cheats) / sizeof(Cheat)) SlErrorCorrupt("Too many cheat values"); for (uint i = 0; i < count; i++) { cht[i].been_used = (SlReadByte() != 0); diff --git a/src/saveload/company_sl.cpp b/src/saveload/company_sl.cpp index f99e104f23..2684a06559 100644 --- a/src/saveload/company_sl.cpp +++ b/src/saveload/company_sl.cpp @@ -283,6 +283,7 @@ static void SaveLoad_PLYR_common(Company *c, CompanyProperties *cprops) SlObject(&cprops->cur_economy, _company_economy_desc); /* Write old economy entries. */ + if (cprops->num_valid_stat_ent > lengthof(cprops->old_economy)) SlErrorCorrupt("Too many old economy entries"); for (i = 0; i < cprops->num_valid_stat_ent; i++) { SlObject(&cprops->old_economy[i], _company_economy_desc); } diff --git a/src/saveload/strings_sl.cpp b/src/saveload/strings_sl.cpp index 6869a1af6a..00180978b5 100644 --- a/src/saveload/strings_sl.cpp +++ b/src/saveload/strings_sl.cpp @@ -126,7 +126,12 @@ static void Load_NAME() int index; while ((index = SlIterateArray()) != -1) { + if (index >= NUM_OLD_STRINGS) SlErrorCorrupt("Invalid old name index"); + if (SlGetFieldLength() > (uint)LEN_OLD_STRINGS) SlErrorCorrupt("Invalid old name length"); + SlArray(&_old_name_array[LEN_OLD_STRINGS * index], SlGetFieldLength(), SLE_UINT8); + /* Make sure the old name is null terminated */ + _old_name_array[LEN_OLD_STRINGS * index + LEN_OLD_STRINGS - 1] = '\0'; } }