From 23dc14b2869c58457de2606ced7bd2fc2c1fb682 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Janiszewski?=
 <janisozaur@users.noreply.github.com>
Date: Tue, 11 Dec 2018 19:35:27 +0100
Subject: [PATCH] Improve checks for object files (#8417)

---
 src/openrct2/object/ObjectRepository.cpp | 2 +-
 src/openrct2/rct12/SawyerChunkReader.cpp | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/openrct2/object/ObjectRepository.cpp b/src/openrct2/object/ObjectRepository.cpp
index 38b2eab13e..68a92d409f 100644
--- a/src/openrct2/object/ObjectRepository.cpp
+++ b/src/openrct2/object/ObjectRepository.cpp
@@ -71,7 +71,7 @@ class ObjectFileIndex final : public FileIndex<ObjectRepositoryItem>
 {
 private:
     static constexpr uint32_t MAGIC_NUMBER = 0x5844494F; // OIDX
-    static constexpr uint16_t VERSION = 18;
+    static constexpr uint16_t VERSION = 19;
     static constexpr auto PATTERN = "*.dat;*.pob;*.json;*.parkobj";
 
     IObjectRepository& _objectRepository;
diff --git a/src/openrct2/rct12/SawyerChunkReader.cpp b/src/openrct2/rct12/SawyerChunkReader.cpp
index ec3b9b88a2..8df3921a49 100644
--- a/src/openrct2/rct12/SawyerChunkReader.cpp
+++ b/src/openrct2/rct12/SawyerChunkReader.cpp
@@ -195,6 +195,10 @@ size_t SawyerChunkReader::DecodeChunkRLE(void* dst, size_t dstCapacity, const vo
             {
                 throw SawyerChunkException(EXCEPTION_MSG_DESTINATION_TOO_SMALL);
             }
+            if (i + 1 + rleCodeByte + 1 > srcLength)
+            {
+                throw SawyerChunkException(EXCEPTION_MSG_CORRUPT_RLE);
+            }
 
             std::memcpy(dst8, src8 + i + 1, rleCodeByte + 1);
             dst8 += rleCodeByte + 1;