From cbef2c8a2966cb120ce9f64c767a391b3294867c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Janiszewski?=
 <janisozaur@users.noreply.github.com>
Date: Mon, 2 Jan 2017 17:11:23 +0100
Subject: [PATCH] Constrain surfaceStyle value to valid range

---
 src/world/map.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/world/map.c b/src/world/map.c
index 59e87f49bc..75fcff957a 100644
--- a/src/world/map.c
+++ b/src/world/map.c
@@ -1581,7 +1581,13 @@ static money32 map_change_surface_style(int x0, int y0, int x1, int y1, uint8 su
 					(mapElement->properties.surface.terrain >> 5);
 
 				if (surfaceStyle != cur_terrain) {
-					surfaceCost += TerrainPricing[surfaceStyle & 0x1F];
+					// Prevent network-originated value of surfaceStyle from causing
+					// invalid access.
+					uint8 style = surfaceStyle & 0x1F;
+					if (style >= countof(TerrainPricing)) {
+						return MONEY32_UNDEFINED;
+					}
+					surfaceCost += TerrainPricing[style];
 					if (flags & 1){
 						mapElement->properties.surface.terrain &= MAP_ELEMENT_WATER_HEIGHT_MASK;
 						mapElement->type &= MAP_ELEMENT_QUADRANT_MASK | MAP_ELEMENT_TYPE_MASK;