Index: src/saveload/cheat_sl.cpp
===================================================================
--- src/saveload/cheat_sl.cpp	(revision 22729)
+++ src/saveload/cheat_sl.cpp	(working copy)
@@ -38,6 +38,8 @@
 {
 	Cheat *cht = (Cheat*)&_cheats;
 	size_t count = SlGetFieldLength() / 2;
+	/* Cannot use lengthof because _cheats is of type Cheats, not Cheat */
+	if (count > sizeof(_cheats) / sizeof(Cheat)) SlErrorCorrupt("Too many cheat values");
 
 	for (uint i = 0; i < count; i++) {
 		cht[i].been_used = (SlReadByte() != 0);
Index: src/saveload/company_sl.cpp
===================================================================
--- src/saveload/company_sl.cpp	(revision 22729)
+++ src/saveload/company_sl.cpp	(working copy)
@@ -283,6 +283,7 @@
 	SlObject(&cprops->cur_economy, _company_economy_desc);
 
 	/* Write old economy entries. */
+	if (cprops->num_valid_stat_ent > lengthof(cprops->old_economy)) SlErrorCorrupt("Too many old economy entries");
 	for (i = 0; i < cprops->num_valid_stat_ent; i++) {
 		SlObject(&cprops->old_economy[i], _company_economy_desc);
 	}
Index: src/saveload/strings_sl.cpp
===================================================================
--- src/saveload/strings_sl.cpp	(revision 22729)
+++ src/saveload/strings_sl.cpp	(working copy)
@@ -123,7 +123,12 @@
 	int index;
 
 	while ((index = SlIterateArray()) != -1) {
+		if (index >= 512) SlErrorCorrupt("Invalid old name index");
+		if (SlGetFieldLength() > 32) SlErrorCorrupt("Invalid old name length");
+
 		SlArray(&_old_name_array[32 * index], SlGetFieldLength(), SLE_UINT8);
+		/* Make sure the old name is null terminated */
+		_old_name_array[32 * index + 31] = '\0';
 	}
 }