mirror
/
OpenTTD
mirror of https://github.com/OpenTTD/OpenTTD
1
0
Fork 0
Code Issues

Fix: prevent corrupted GRF files to allocate stupid amounts of memory

pull/10323/head
Rubidium 2023-01-05 18:29:47 +01:00 committed by rubidium42
parent 58068883f8
commit 51049946d1
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/spriteloader/grf.cpp
View File

@ -59,6 +59,15 @@ static bool WarnCorruptSprite(const SpriteFile &file, size_t file_pos, int line)
*/ */
bool DecodeSingleSprite(SpriteLoader::Sprite *sprite, SpriteFile &file, size_t file_pos, SpriteType sprite_type, int64 num, byte type, ZoomLevel zoom_lvl, byte colour_fmt, byte container_format) bool DecodeSingleSprite(SpriteLoader::Sprite *sprite, SpriteFile &file, size_t file_pos, SpriteType sprite_type, int64 num, byte type, ZoomLevel zoom_lvl, byte colour_fmt, byte container_format)
{ {
/*
* Original sprite height was max 255 pixels, with 4x extra zoom => 1020 pixels.
* Original maximum width for sprites was 640 pixels, with 4x extra zoom => 2560 pixels.
* Now up to 5 bytes per pixel => 1020 * 2560 * 5 => ~ 12.5 MiB.
*
* So, any sprite data more than 64 MiB is way larger that we would even expect; prevent allocating more memory!
*/
if (num < 0 || num > 64 * 1024 * 1024) return WarnCorruptSprite(file, file_pos, __LINE__);
std::unique_ptr<byte[]> dest_orig(new byte[num]); std::unique_ptr<byte[]> dest_orig(new byte[num]);
byte *dest = dest_orig.get(); byte *dest = dest_orig.get();
const int64 dest_size = num; const int64 dest_size = num;