From 0fe60663bf02d95c69c214491fc04384775f1f87 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Janiszewski?= <janisozaur@gmail.com>
Date: Mon, 31 Jul 2017 22:13:24 +0200
Subject: [PATCH] Verify decoded SawyerChunks

---
 src/openrct2/util/sawyercoding.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/openrct2/util/sawyercoding.c b/src/openrct2/util/sawyercoding.c
index f7e68ba375..0b5b06dc41 100644
--- a/src/openrct2/util/sawyercoding.c
+++ b/src/openrct2/util/sawyercoding.c
@@ -243,16 +243,20 @@ static size_t decode_chunk_rle_with_size(const uint8* src_buffer, uint8* dst_buf
 
     dst = dst_buffer;
 
+    assert(length > 0);
+    assert(dstSize > 0);
     for (size_t i = 0; i < length; i++) {
         rleCodeByte = src_buffer[i];
         if (rleCodeByte & 128) {
             i++;
             count = 257 - rleCodeByte;
             assert(dst + count <= dst_buffer + dstSize);
+            assert(i < length);
             memset(dst, src_buffer[i], count);
             dst = (uint8*)((uintptr_t)dst + count);
         } else {
             assert(dst + rleCodeByte + 1 <= dst_buffer + dstSize);
+            assert(i + 1 < length);
             memcpy(dst, src_buffer + i + 1, rleCodeByte + 1);
             dst = (uint8*)((uintptr_t)dst + rleCodeByte + 1);
             i += rleCodeByte + 1;