From e1616fdd827af2b36e15b796e843044f9c9f3739 Mon Sep 17 00:00:00 2001
From: Simon Robertshaw <simon@hardwired.org.uk>
Date: Fri, 15 Nov 2013 14:38:22 +0000
Subject: [PATCH] Hotfix: Don't open saves larger than 200MB

---
 src/client/GameSave.cpp | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/client/GameSave.cpp b/src/client/GameSave.cpp
index 159db6fd0..863903477 100644
--- a/src/client/GameSave.cpp
+++ b/src/client/GameSave.cpp
@@ -472,8 +472,13 @@ void GameSave::readOPS(char * data, int dataLength)
 	bsonDataLen |= ((unsigned)inputData[9]) << 8;
 	bsonDataLen |= ((unsigned)inputData[10]) << 16;
 	bsonDataLen |= ((unsigned)inputData[11]) << 24;
-
-	bsonData = (unsigned char*)malloc(bsonDataLen+1);
+	
+	//Check for overflows, don't load saves larger than 200MB
+	unsigned int toAlloc = bsonDataLen+1;
+	if(toAlloc > 209715200 || !toAlloc)
+		throw ParseException(ParseException::InvalidDimensions, "Save data too large, refusing");
+		
+	bsonData = (unsigned char*)malloc(toAlloc);
 	if(!bsonData)
 		throw ParseException(ParseException::InternalError, "Unable to allocate memory");
 
@@ -1146,6 +1151,10 @@ void GameSave::readPSv(char * data, int dataLength)
 	i |= ((unsigned)c[9])<<8;
 	i |= ((unsigned)c[10])<<16;
 	i |= ((unsigned)c[11])<<24;
+	
+	if(i > 209715200 || !i)
+		throw ParseException(ParseException::InvalidDimensions, "Save data too large");
+	
 	d = (unsigned char *)malloc(i);
 	if (!d)
 		throw ParseException(ParseException::Corrupt, "Cannot allocate memory");