Codefix: do not trust allocation sizes coming from a file

2025-03-14 18:02:10 +01:00 · 2025-03-14 18:02:10 +01:00 · dae788e2e3
parent f794ee028b
commit dae788e2e3
2 changed files with 10 additions and 0 deletions
--- a/src/music/midifile.cpp
+++ b/src/music/midifile.cpp
@ -203,6 +203,9 @@ static bool ReadTrackChunk(FileHandle &file, MidiFile &target)
 	}
 	chunk_length = FROM_BE32(chunk_length);

+	/* Limit chunk size to 1 MiB. */
+	if (chunk_length > 1024 * 1024) return false;
+
 	ByteBuffer chunk(file, chunk_length);
 	if (!chunk.IsValid()) {
 		return false;
--- a/src/newgrf.cpp
+++ b/src/newgrf.cpp
@ -9957,6 +9957,13 @@ static void LoadNewGRFFileFromFile(GRFConfig &config, GrfLoadingStage stage, Spr

 		if (type == 0xFF) {
 			if (_cur.skip_sprites == 0) {
+				/* Limit the special sprites to 1 MiB. */
+				if (num > 1024 * 1024) {
+					GrfMsg(0, "LoadNewGRFFile: Unexpectedly large sprite, disabling");
+					DisableGrf(STR_NEWGRF_ERROR_UNEXPECTED_SPRITE);
+					break;
+				}
+
 				DecodeSpecialSprite(buf.Allocate(num), num, stage);

 				/* Stop all processing if we are to skip the remaining sprites */