Pathfinder: only load and store good length values

This avoids buffer overruns on load and save of games. This should fix some crashes. See #610
Wargus · Feb 25, 2024 · 522bd12 · 522bd12
1 parent 737be8f
commit 522bd12
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/src/unit/script_unit.cpp b/src/unit/script_unit.cpp
@@ -257,10 +257,16 @@ void PathFinderOutput::Load(lua_State *l)
 				LuaError(l, "incorrect argument _");
 			}
 			const int subargs = lua_rawlen(l, -1);
-			for (int k = 0; k < subargs; ++k) {
-				this->Path[k] = LuaToNumber(l, -1, k + 1);
+			if (subargs <= PathFinderOutput::MAX_PATH_LENGTH)
+			{
+				for (int k = 0; k < subargs; ++k) {
+					this->Path[k] = LuaToNumber(l, -1, k + 1);
+				}
+				this->Length = subargs;
+			} else
+			{
+				this->Length = 0;
 			}
-			this->Length = subargs;
 			lua_pop(l, 1);
 		} else {
 			LuaError(l, "PathFinderOutput::Load: Unsupported tag: %s", tag.data());

diff --git a/src/unit/unit_save.cpp b/src/unit/unit_save.cpp
@@ -103,8 +103,10 @@ void PathFinderOutput::Save(CFile &file) const
 	}
 	if (this->Length > 0) {
 		file.printf("\"path\", {");
-		for (int i = 0; i < this->Length; ++i) {
-			file.printf("%d, ", this->Path[i]);
+		if (this->Length <= PathFinderOutput::MAX_PATH_LENGTH) {
+			for (int i = 0; i < this->Length; ++i) {
+				file.printf("%d, ", this->Path[i]);
+			}
 		}
 		file.printf("},");
 	}