From f1458df1caed833434303de9ae59f864404e4d07 Mon Sep 17 00:00:00 2001
From: peter1138 <peter1138@openttd.org>
Date: Wed, 3 Feb 2010 08:02:07 +0000
Subject: [PATCH] (svn r18990) -Codechange: [NewGRF] Add rail type map bounds
 checking to RailType[Change|Reserve]Info().

---
 src/newgrf.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/newgrf.cpp b/src/newgrf.cpp
index ef8ec93ace..786c5f3734 100644
--- a/src/newgrf.cpp
+++ b/src/newgrf.cpp
@@ -2494,6 +2494,11 @@ static ChangeInfoResult RailTypeChangeInfo(uint id, int numinfo, int prop, ByteR
 
 	extern RailtypeInfo _railtypes[RAILTYPE_END];
 
+	if (id + numinfo > RAILTYPE_END) {
+		grfmsg(1, "RailTypeChangeInfo: Rail type %u is invalid, max %u, ignoring", id + numinfo, RAILTYPE_END);
+		return CIR_INVALID_ID;
+	}
+
 	for (int i = 0; i < numinfo; i++) {
 		RailType rt = _cur_grffile->railtype_map[id + i];
 		if (rt == INVALID_RAILTYPE) return CIR_INVALID_ID;
@@ -2589,6 +2594,11 @@ static ChangeInfoResult RailTypeReserveInfo(uint id, int numinfo, int prop, Byte
 {
 	ChangeInfoResult ret = CIR_SUCCESS;
 
+	if (id + numinfo > RAILTYPE_END) {
+		grfmsg(1, "RailTypeReserveInfo: Rail type %u is invalid, max %u, ignoring", id + numinfo, RAILTYPE_END);
+		return CIR_INVALID_ID;
+	}
+
 	for (int i = 0; i < numinfo; i++) {
 		switch (prop) {
 			case 0x08: // Label of rail type