(svn r12637) -Fix [FS#1913]: possible NULL pointer dereference when reading some NewGRF data.

2024-11-02 09:40:35 +00:00 · 2008-04-09 14:05:50 +00:00 · 2008-04-09 14:05:50 +00:00 · cd23dd64bf
commit cd23dd64bf
parent 16edbb8635
2 changed files with 5 additions and 7 deletions
--- a/src/network/core/config.h
+++ b/src/network/core/config.h
@ -38,14 +38,9 @@ enum {
 	/**
 	 * Maximum number of GRFs that can be sent.
 	 * This value is related to number of handles (files) OpenTTD can open.
-	 * This is currently 64 and about 10 are currently used when OpenTTD loads
-	 * without any NewGRFs. Therefore one can only load about 55 NewGRFs, so
-	 * this is not a limit, but rather a way to easily check whether the limit
-	 * imposed by the handle count is reached. Secondly it isn't possible to
-	 * send much more GRF IDs + MD5sums in the PACKET_UDP_SERVER_RESPONSE, due
-	 * to the limited size of UDP packets.
+	 * This is currently 64. Two are used for configuration and sound.
 	 */
-	NETWORK_MAX_GRF_COUNT         =   55,
+	NETWORK_MAX_GRF_COUNT         =   62,

 	NETWORK_NUM_LANGUAGES         =   36, ///< Number of known languages (to the network protocol) + 1 for 'any'.
 	/**
--- a/src/network/core/udp.cpp
+++ b/src/network/core/udp.cpp
@ -221,6 +221,9 @@ void NetworkUDPSocketHandler::Recv_NetworkGameInfo(Packet *p, NetworkGameInfo *i
 			uint i;
 			uint num_grfs = p->Recv_uint8();

+			/* Broken/bad data. It cannot have that many NewGRFs. */
+			if (num_grfs > NETWORK_MAX_GRF_COUNT) return;
+
 			for (i = 0; i < num_grfs; i++) {
 				GRFConfig *c = CallocT<GRFConfig>(1);
 				this->Recv_GRFIdentifier(p, c);