mirrors/OpenRCT2
1
0
Fork 0
mirror of https://github.com/OpenRCT2/OpenRCT2 synced 2025-12-24 00:03:11 +01:00
Code Issues Releases Wiki Activity

Prevent writing to invalid memory.

Browse Source 
Switch magic number to constant `maxTrackElements`.
If the number of TrackElements becomes equal to maxTrackElements, cleanup the data and abort the export.
This commit is contained in:
Tomas Dittmann
2017-11-23 00:02:55 +01:00
committed by Michael Steenbeek
parent b0aaf13cec
commit 60b457d13f
1 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/openrct2/ride/track_design_save.c
View File

@@ -1006,8 +1006,10 @@ static bool track_design_save_to_td6_for_tracked_ride(uint8 rideIndex, rct_track
sint16 start_z = z + trackCoordinates->z_begin;
gTrackPreviewOrigin = (LocationXYZ16) { start_x, start_y, start_z };
const uint16 maxTrackElements = 8192;
size_t numTrackElements = 0;
td6->track_elements = calloc(8192, sizeof(rct_td6_track_element));
td6->track_elements = calloc(maxTrackElements, sizeof(rct_td6_track_element));
rct_td6_track_element *track = td6->track_elements;
do {
track->type = track_element_get_type(trackElement.element);
@@ -1051,6 +1053,13 @@ static bool track_design_save_to_td6_for_tracked_ride(uint8 rideIndex, rct_track
{
break;
}
if (maxTrackElements == numTrackElements)
{
free(td6->track_elements);
gGameCommandErrorText = STR_TRACK_TOO_LARGE_OR_TOO_MUCH_SCENERY;
return 0;
}
}
while (trackElement.element != initialMap);