From d155794605fbec6678969b4df814a3641295e8d0 Mon Sep 17 00:00:00 2001
From: smatz <smatz@openttd.org>
Date: Mon, 1 Feb 2010 00:10:52 +0000
Subject: [PATCH] (svn r18978) -Fix [FS#3584](r14753): possible invalid memory
 access when merging companies

---
 src/vehicle.cpp | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/vehicle.cpp b/src/vehicle.cpp
index a62cac9870..4cf0af4d90 100644
--- a/src/vehicle.cpp
+++ b/src/vehicle.cpp
@@ -1209,10 +1209,10 @@ FreeUnitIDGenerator::FreeUnitIDGenerator(VehicleType type, CompanyID owner) : ca
 
 	if (this->maxid == 0) return;
 
-	this->maxid++; // so there is space for last item (with v->unitnumber == maxid)
-	this->maxid++; // this one will always be free (well, it will fail when there are 65535 units, so this overflows)
-
-	this->cache = CallocT<bool>(this->maxid);
+	/* Reserving 'maxid + 2' because we need:
+	 * - space for the last item (with v->unitnumber == maxid)
+	 * - one free slot working as loop terminator in FreeUnitIDGenerator::NextID() */
+	this->cache = CallocT<bool>(this->maxid + 2);
 
 	/* Fill the cache */
 	FOR_ALL_VEHICLES(v) {