From 7edbf2fed15ec519e4f54a28bf859bf0d1aebf11 Mon Sep 17 00:00:00 2001
From: rubidium <rubidium@openttd.org>
Date: Sat, 23 Nov 2013 18:11:01 +0000
Subject: [PATCH] (svn r26070) -Fix: prevent extremely huge size for data
 (1+GiB)

---
 src/newgrf_config.cpp | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/newgrf_config.cpp b/src/newgrf_config.cpp
index df86850302..337b3edd11 100644
--- a/src/newgrf_config.cpp
+++ b/src/newgrf_config.cpp
@@ -335,7 +335,14 @@ size_t GRFGetSizeOfDataSection(FILE *f)
 	if (fread(data, 1, header_len, f) == header_len) {
 		if (data[0] == 0 && data[1] == 0 && MemCmpT(data + 2, _grf_cont_v2_sig, 8) == 0) {
 			/* Valid container version 2, get data section size. */
-			size_t offset = (data[13] << 24) | (data[12] << 16) | (data[11] << 8) | data[10];
+			size_t offset = ((size_t)data[13] << 24) | ((size_t)data[12] << 16) | ((size_t)data[11] << 8) | (size_t)data[10];
+			if (offset >= 1 * 1024 * 1024 * 1024) {
+				DEBUG(grf, 0, "Unexpectedly large offset for NewGRF");
+				/* Having more than 1 GiB of data is very implausible. Mostly because then
+				 * all pools in OpenTTD are flooded already. Or it's just Action C all over.
+				 * In any case, the offsets to graphics will likely not work either. */
+				return SIZE_MAX;
+			}
 			return header_len + offset;
 		}
 	}