From ee443818a893dcae92b35d945f27b02ec5b96449 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Janiszewski?=
 <janisozaur@users.noreply.github.com>
Date: Tue, 1 Aug 2017 13:29:16 +0200
Subject: [PATCH] Verify size of objects sent/requested (#6076)

---
 data/language/en-GB.txt                |  2 ++
 src/openrct2/localisation/string_ids.h |  3 +++
 src/openrct2/network/network.cpp       | 21 +++++++++++++++++++++
 src/openrct2/scenario/scenario.h       |  2 +-
 4 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/data/language/en-GB.txt b/data/language/en-GB.txt
index bd3b16d3e5..fbb546f6f8 100644
--- a/data/language/en-GB.txt
+++ b/data/language/en-GB.txt
@@ -4443,6 +4443,8 @@ STR_6131    :Object source
 STR_6132    :Ignore research status
 STR_6133    :{SMALLFONT}{BLACK}Access rides and scenery that have not yet been invented
 STR_6134    :Clear Scenery
+STR_6135    :Client sent invalid request
+STR_6136    :Server sent invalid request
 
 #############
 # Scenarios #
diff --git a/src/openrct2/localisation/string_ids.h b/src/openrct2/localisation/string_ids.h
index ed4219cd74..635e861802 100644
--- a/src/openrct2/localisation/string_ids.h
+++ b/src/openrct2/localisation/string_ids.h
@@ -3807,6 +3807,9 @@ enum {
 
     STR_SHORTCUT_CLEAR_SCENERY = 6134,
 
+    STR_MULTIPLAYER_CLIENT_INVALID_REQUEST = 6135,
+    STR_MULTIPLAYER_SERVER_INVALID_REQUEST = 6136,
+
     // Have to include resource strings (from scenarios and objects) for the time being now that language is partially working
     STR_COUNT = 32768
 };
diff --git a/src/openrct2/network/network.cpp b/src/openrct2/network/network.cpp
index 6b0a43c612..21a973b991 100644
--- a/src/openrct2/network/network.cpp
+++ b/src/openrct2/network/network.cpp
@@ -1659,6 +1659,13 @@ void Network::Client_Handle_OBJECTS(NetworkConnection& connection, NetworkPacket
     uint32 size;
     packet >> size;
     log_verbose("client received object list, it has %u entries", size);
+    if (size > OBJECT_ENTRY_COUNT)
+    {
+        connection.SetLastDisconnectReason(STR_MULTIPLAYER_SERVER_INVALID_REQUEST);
+        connection.Socket->Disconnect();
+        log_warning("Server sent invalid amount of objects");
+        return;
+    }
     std::vector<std::string> requested_objects;
     for (uint32 i = 0; i < size; i++)
     {
@@ -1686,6 +1693,20 @@ void Network::Server_Handle_OBJECTS(NetworkConnection& connection, NetworkPacket
 {
     uint32 size;
     packet >> size;
+    if (size > OBJECT_ENTRY_COUNT)
+    {
+        connection.SetLastDisconnectReason(STR_MULTIPLAYER_CLIENT_INVALID_REQUEST);
+        connection.Socket->Disconnect();
+        std::string playerName = "(unknown)";
+        if (connection.Player)
+        {
+            playerName = connection.Player->Name;
+        }
+        std::string text = std::string("Player ") + playerName + std::string(" requested invalid amount of objects");
+        AppendServerLog(text);
+        log_warning(text.c_str());
+        return;
+    }
     log_verbose("Client requested %u objects", size);
     IObjectRepository * repo = GetObjectRepository();
     for (uint32 i = 0; i < size; i++)
diff --git a/src/openrct2/scenario/scenario.h b/src/openrct2/scenario/scenario.h
index 2d83372bb5..4b2a317bbd 100644
--- a/src/openrct2/scenario/scenario.h
+++ b/src/openrct2/scenario/scenario.h
@@ -99,7 +99,7 @@ typedef struct rct_s6_data {
     // packed objects
 
     // SC6[3]
-    rct_object_entry objects[721];
+    rct_object_entry objects[OBJECT_ENTRY_COUNT];
 
     // SC6[4]
     uint16 elapsed_months;