(svn r26062) -Fix: beef up checks against invalid data in highscore and language files

11 years ago · 3b2a92ea97
parent 78a316d349
commit 3b2a92ea97
2 changed files with 10 additions and 5 deletions
--- a/src/highscore.cpp
+++ b/src/highscore.cpp
@ -164,10 +164,10 @@ void LoadFromHighScore()
 		for (i = 0; i < SP_SAVED_HIGHSCORE_END; i++) {
 			for (hs = _highscore_table[i]; hs != endof(_highscore_table[i]); hs++) {
 				byte length;
-				if (fread(&length, sizeof(length), 1, fp)       !=  1 ||
-						fread(hs->company, length, 1, fp)           >   1 || // Yes... could be 0 bytes too
-						fread(&hs->score, sizeof(hs->score), 1, fp) !=  1 ||
-						fseek(fp, 2, SEEK_CUR)                      == -1) { // XXX - placeholder for hs->title, not saved anymore; compatibility
+				if (fread(&length, sizeof(length), 1, fp)                              !=  1 ||
+						fread(hs->company, min<int>(lengthof(hs->company), length), 1, fp) >   1 || // Yes... could be 0 bytes too
+						fread(&hs->score, sizeof(hs->score), 1, fp)                        !=  1 ||
+						fseek(fp, 2, SEEK_CUR)                                             == -1) { // XXX - placeholder for hs->title, not saved anymore; compatibility
 					DEBUG(misc, 1, "Highscore corrupted");
 					i = SP_SAVED_HIGHSCORE_END;
 					break;
--- a/src/strings.cpp
+++ b/src/strings.cpp
@ -1763,7 +1763,12 @@ bool ReadLanguagePack(const LanguageMetadata *lang)

 	uint count = 0;
 	for (uint i = 0; i < TAB_COUNT; i++) {
-		uint num = lang_pack->offsets[i];
+		uint16 num = lang_pack->offsets[i];
+		if (num > TAB_SIZE) {
+				free(lang_pack);
+				return false;
+		}
+
 		_langtab_start[i] = count;
 		_langtab_num[i] = num;
 		count += num;