mart3p opened the ticket and wrote:

I have been experiencing a random crash when using pb_ukrs.grf.

This problem was introduced in r4537 in newrgf.c. In the process of replacing the "if" cascade with a switch block in the sprite group loader, a buffer length check was removed.

A varaction 2 type 85 or 86 (doubleword type) will fall through the switch block to the default case (for loading normal (non-varaction) action 2s).

A type 85, for example, will then be processed as if it had 0x85 loaded states, so data is read from past the end of the buffer. This sometimes causes an immediate crash but more often will crash when a game is started.

The patch re-adds a length check. It also adds a case, to explicitly test for types 85, 86, 89 and 8A, and give a suitable debug message.

Attachments

• GRF_bug_fix.patch (0.93 KiB)

Reported version: trunk
Operating system: All

This issue was imported from FlySpray: https://bugs.openttd.org/task/138