Archives
/
OpenTTD-patches
mirror of https://github.com/JGRennison/OpenTTD-patches
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

(svn r26132) -Fix-ish: prevent issues due to overflowing multiplications by limiting the size of full zoom sprites to about 32kix32ki

Browse Source
pull/155/head
rubidium 11 years ago
parent f7112a42bd
commit 223f743271
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File

10
src/spriteloader/grf.cpp
Unescape Escape View File

@ -235,6 +235,11 @@ uint8 LoadSpriteV1(SpriteLoader::Sprite *sprite, uint8 file_slot, size_t file_po
sprite[zoom_lvl].x_offs = FioReadWord();
sprite[zoom_lvl].y_offs = FioReadWord();
if (sprite[zoom_lvl].width > INT16_MAX) {
WarnCorruptSprite(file_slot, file_pos, __LINE__);
return 0;
}
/* 0x02 indicates it is a compressed sprite, so we can't rely on 'num' to be valid.
* In case it is uncompressed, the size is 'num' - 8 (header-size). */
num = (type & 0x02) ? sprite[zoom_lvl].width * sprite[zoom_lvl].height : num - 8;
@ -283,6 +288,11 @@ uint8 LoadSpriteV2(SpriteLoader::Sprite *sprite, uint8 file_slot, size_t file_po
sprite[zoom_lvl].x_offs = FioReadWord();
sprite[zoom_lvl].y_offs = FioReadWord();
if (sprite[zoom_lvl].width > INT16_MAX || sprite[zoom_lvl].height > INT16_MAX) {
WarnCorruptSprite(file_slot, file_pos, __LINE__);
return 0;
}
/* Mask out colour information. */
type = type & ~SCC_MASK;

Write Preview
Loading…
Cancel
Save