From eeeebe5525c3ec4109b895e86e736896bfe8fcb8 Mon Sep 17 00:00:00 2001
From: Ted John <ted@brambles.org>
Date: Tue, 18 Jul 2017 17:34:05 +0100
Subject: [PATCH] Fix #5939: Crash when importing 'Six Flags Santa Fe'

Protect fix_invalid_vehicle_sprite_sizes from invalid vehicle chains.
---
 distribution/changelog.txt  |  1 +
 src/openrct2/ride/ride.c    | 12 ++++++------
 src/openrct2/ride/vehicle.c |  8 ++++++++
 src/openrct2/ride/vehicle.h |  1 +
 4 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/distribution/changelog.txt b/distribution/changelog.txt
index 770d08aae3..80eb87d60c 100644
--- a/distribution/changelog.txt
+++ b/distribution/changelog.txt
@@ -7,6 +7,7 @@
 - Fix: [#5858] Crash when using custom ride with no colour presets.
 - Fix: [#5872] Incorrect OpenGL rendering of masked sprites
 - Fix: [#5920] Placing guest spawn doesn't do anything every 3rd click
+- Fix: [#5939] Crash when importing 'Six Flags Santa Fe'.
 - Improved: The land tool buttons can now be held down to increase/decrease size.
 - Improved: [#5859] OpenGL rendering performance
 - Improved: [#5863] Switching drawing engines no longer requires the application to restart.
diff --git a/src/openrct2/ride/ride.c b/src/openrct2/ride/ride.c
index 96fa047773..f75055cf67 100644
--- a/src/openrct2/ride/ride.c
+++ b/src/openrct2/ride/ride.c
@@ -8706,13 +8706,13 @@ void fix_invalid_vehicle_sprite_sizes()
         for (uint16 j = 0; j < MAX_VEHICLES_PER_RIDE; j++) {
             uint16 rideSpriteIndex = ride->vehicles[j];
             while (rideSpriteIndex != SPRITE_INDEX_NULL) {
-                rct_vehicle *vehicle = GET_VEHICLE(rideSpriteIndex);
-                rct_ride_entry_vehicle *vehicleEntry = vehicle_get_vehicle_entry(vehicle);
+                rct_vehicle * vehicle = try_get_vehicle(rideSpriteIndex);
+                if (vehicle == NULL) {
+                    break;
+                }
 
-                if (vehicle == NULL ||
-                    vehicleEntry == NULL ||
-                    vehicleEntry == (rct_ride_entry_vehicle*)-1)
-                {
+                rct_ride_entry_vehicle * vehicleEntry = vehicle_get_vehicle_entry(vehicle);
+                if (vehicleEntry == NULL || vehicleEntry == (rct_ride_entry_vehicle*)-1) {
                     break;
                 }
 
diff --git a/src/openrct2/ride/vehicle.c b/src/openrct2/ride/vehicle.c
index 85dea9c371..ae101e901e 100644
--- a/src/openrct2/ride/vehicle.c
+++ b/src/openrct2/ride/vehicle.c
@@ -657,6 +657,14 @@ static const struct { sint8 x, y, z; } SteamParticleOffsets[] = {
     {  -8,  -4, 17 }
 };
 
+rct_vehicle * try_get_vehicle(uint16 spriteIndex)
+{
+    rct_sprite * sprite = try_get_sprite(spriteIndex);
+    if (sprite == NULL) return NULL;
+    if (sprite->unknown.sprite_identifier != SPRITE_IDENTIFIER_VEHICLE) return NULL;
+    return &sprite->vehicle;
+}
+
 static void vehicle_invalidate(rct_vehicle *vehicle)
 {
     invalidate_sprite_2((rct_sprite*)vehicle);
diff --git a/src/openrct2/ride/vehicle.h b/src/openrct2/ride/vehicle.h
index 0ae84593f3..284bd63d2a 100644
--- a/src/openrct2/ride/vehicle.h
+++ b/src/openrct2/ride/vehicle.h
@@ -369,6 +369,7 @@ enum {
 #define VEHICLE_SEAT_PAIR_FLAG  0x80
 #define VEHICLE_SEAT_NUM_MASK   0x7F
 
+rct_vehicle * try_get_vehicle(uint16 spriteIndex);
 void vehicle_update_all();
 sint32 sub_6BC2F3(rct_vehicle* vehicle);
 void vehicle_sounds_update();