From 95e3895b89e61004dfbb18e5537ca5d483fce996 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Janiszewski?= <janisozaur@gmail.com>
Date: Sun, 24 Jan 2016 19:31:40 +0100
Subject: [PATCH] Game commands' argument validation

---
 src/core/String.cpp       |  2 +-
 src/management/research.c |  8 +++++++-
 src/ride/track.c          | 10 ++++++++++
 src/world/map.c           |  6 ++++++
 4 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/src/core/String.cpp b/src/core/String.cpp
index cf4600bf2a..4252cab76c 100644
--- a/src/core/String.cpp
+++ b/src/core/String.cpp
@@ -149,7 +149,7 @@ namespace String
 
     const utf8 * SkipBOM(const utf8 * buffer)
     {
-        if (buffer[0] == 0xEF && buffer[1] == 0xBB && buffer[2] == 0xBF)
+        if ((unsigned char)buffer[0] == 0xEF && (unsigned char)buffer[1] == 0xBB && (unsigned char)buffer[2] == 0xBF)
         {
             return buffer + 3;
         }
diff --git a/src/management/research.c b/src/management/research.c
index 61ea7c2290..1beab742bf 100644
--- a/src/management/research.c
+++ b/src/management/research.c
@@ -559,8 +559,14 @@ void game_command_set_research_funding(int* eax, int* ebx, int* ecx, int* edx, i
 
 	RCT2_GLOBAL(RCT2_ADDRESS_NEXT_EXPENDITURE_TYPE, uint8) = RCT_EXPENDITURE_TYPE_RESEARCH * 4;
 	if (*ebx & GAME_COMMAND_FLAG_APPLY) {
-		if (!setPriorities)
+		if (!setPriorities) {
+			if (fundingAmount < 0 || fundingAmount >= countof(_researchRate)) {
+				*ebx = MONEY32_UNDEFINED;
+				log_warning("Invalid research rate %d", fundingAmount);
+				return;
+			}
 			RCT2_GLOBAL(RCT2_ADDRESS_CURRENT_RESEARCH_LEVEL, uint8) = fundingAmount;
+		}
 		else
 			RCT2_GLOBAL(RCT2_ADDRESS_ACTIVE_RESEARCH_TYPES, uint8) = activeCategories;
 
diff --git a/src/ride/track.c b/src/ride/track.c
index 8c512078e8..7f936af9bc 100644
--- a/src/ride/track.c
+++ b/src/ride/track.c
@@ -4082,7 +4082,17 @@ static bool sub_6C4D89(int x, int y, int z, int direction, int rideIndex, int fl
 static money32 track_place(int rideIndex, int type, int originX, int originY, int originZ, int direction, int properties_1, int properties_2, int properties_3, int edx_flags, int flags)
 {
 	rct_ride *ride = get_ride(rideIndex);
+	if (ride == NULL)
+	{
+		log_warning("Invalid ride for track placement, rideIndex = %d", rideIndex);
+		return MONEY32_UNDEFINED;
+	}
 	rct_ride_type *rideEntry = get_ride_entry(ride->subtype);
+	if (rideEntry == (rct_ride_type *)0xFFFFFFFF)
+	{
+		log_warning("Invalid ride type for track placement, rideIndex = %d", rideIndex);
+		return MONEY32_UNDEFINED;
+	}
 	rct_map_element *mapElement;
 
 	RCT2_GLOBAL(RCT2_ADDRESS_NEXT_EXPENDITURE_TYPE, uint8) = RCT_EXPENDITURE_TYPE_RIDE_CONSTRUCTION * 4;
diff --git a/src/world/map.c b/src/world/map.c
index 1b9f52acd3..2e1013e0b2 100644
--- a/src/world/map.c
+++ b/src/world/map.c
@@ -1801,6 +1801,12 @@ money32 raise_land(int flags, int x, int y, int z, int ax, int ay, int bx, int b
 {
 	money32 cost = 0;
 
+	if (selectionType < 0 || selectionType >= countof(map_element_raise_styles))
+	{
+		log_warning("Invalid selection type %d for raising land", selectionType);
+		return MONEY32_UNDEFINED;
+	}
+
 	if ((flags & GAME_COMMAND_FLAG_APPLY) && RCT2_GLOBAL(0x009A8C28, uint8) == 1) {
 		audio_play_sound_at_location(SOUND_PLACE_ITEM, x, y, z);
 	}