mirror
/
OpenTTD
mirror of https://github.com/OpenTTD/OpenTTD
1
0
Fork 0
Code Issues

Codefix: do not trust allocation sizes coming from a file

pull/13829/head
Rubidium 2025-03-14 18:02:10 +01:00 committed by rubidium42
parent f794ee028b
commit dae788e2e3
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/music/midifile.cpp
View File

@ -203,6 +203,9 @@ static bool ReadTrackChunk(FileHandle &file, MidiFile &target)
} }
chunk_length = FROM_BE32(chunk_length); chunk_length = FROM_BE32(chunk_length);
/* Limit chunk size to 1 MiB. */
if (chunk_length > 1024 * 1024) return false;
ByteBuffer chunk(file, chunk_length); ByteBuffer chunk(file, chunk_length);
if (!chunk.IsValid()) { if (!chunk.IsValid()) {
return false; return false;

7
src/newgrf.cpp
View File

@ -9957,6 +9957,13 @@ static void LoadNewGRFFileFromFile(GRFConfig &config, GrfLoadingStage stage, Spr
if (type == 0xFF) { if (type == 0xFF) {
if (_cur.skip_sprites == 0) { if (_cur.skip_sprites == 0) {
/* Limit the special sprites to 1 MiB. */
if (num > 1024 * 1024) {
GrfMsg(0, "LoadNewGRFFile: Unexpectedly large sprite, disabling");
DisableGrf(STR_NEWGRF_ERROR_UNEXPECTED_SPRITE);
break;
}
DecodeSpecialSprite(buf.Allocate(num), num, stage); DecodeSpecialSprite(buf.Allocate(num), num, stage);
/* Stop all processing if we are to skip the remaining sprites */ /* Stop all processing if we are to skip the remaining sprites */