Codefix: do not trust allocation sizes coming from a file

2026-01-28 14:44:28 +01:00 · 2025-03-14 18:02:10 +01:00
parent f794ee028b
commit dae788e2e3
2 changed files with 10 additions and 0 deletions
--- a/src/newgrf.cpp
+++ b/src/newgrf.cpp
@@ -9957,6 +9957,13 @@ static void LoadNewGRFFileFromFile(GRFConfig &config, GrfLoadingStage stage, Spr

 		if (type == 0xFF) {
 			if (_cur.skip_sprites == 0) {
+				/* Limit the special sprites to 1 MiB. */
+				if (num > 1024 * 1024) {
+					GrfMsg(0, "LoadNewGRFFile: Unexpectedly large sprite, disabling");
+					DisableGrf(STR_NEWGRF_ERROR_UNEXPECTED_SPRITE);
+					break;
+				}
+
 				DecodeSpecialSprite(buf.Allocate(num), num, stage);

 				/* Stop all processing if we are to skip the remaining sprites */