# HG changeset patch
# User yexo <yexo@openttd.org>
# Date 2010-04-06 21:16:36
# Node ID e24469d4e684cb4194029f031a7fced4cb7c6212
# Parent  e6fb31adead19f64e8fc7f97fbe17df9cf828a14

(svn r19569) -Fix: possible buffer underflow in newgrf string code

diff --git a/src/newgrf_text.cpp b/src/newgrf_text.cpp
--- a/src/newgrf_text.cpp
+++ b/src/newgrf_text.cpp
@@ -636,7 +636,7 @@ void RewindTextRefStack()
  * @param argv  the OpenTTD stack of values
  * @return the string control code to "execute" now
  */
-uint RemapNewGRFStringControlCode(uint scc, char **buff, const char **str, int64 *argv)
+uint RemapNewGRFStringControlCode(uint scc, char *buf_start, char **buff, const char **str, int64 *argv)
 {
 	if (_newgrf_textrefstack->used) {
 		switch (scc) {
@@ -663,7 +663,7 @@ uint RemapNewGRFStringControlCode(uint s
 
 			case SCC_NEWGRF_ROTATE_TOP_4_WORDS:   _newgrf_textrefstack->RotateTop4Words(); break;
 			case SCC_NEWGRF_PUSH_WORD:            _newgrf_textrefstack->PushWord(Utf8Consume(str)); break;
-			case SCC_NEWGRF_UNPRINT:              *buff -= Utf8Consume(str); break;
+			case SCC_NEWGRF_UNPRINT:              *buff = max(*buff - Utf8Consume(str), buf_start); break;
 
 			case SCC_NEWGRF_PRINT_STRING_ID:
 				*argv = TTDPStringIDToOTTDStringIDMapping(_newgrf_textrefstack->PopUnsignedWord());
diff --git a/src/newgrf_text.h b/src/newgrf_text.h
--- a/src/newgrf_text.h
+++ b/src/newgrf_text.h
@@ -28,7 +28,7 @@ void StopTextRefStackUsage();
 void SwitchToNormalRefStack();
 void SwitchToErrorRefStack();
 void RewindTextRefStack();
-uint RemapNewGRFStringControlCode(uint scc, char **buff, const char **str, int64 *argv);
+uint RemapNewGRFStringControlCode(uint scc, char *buf_start, char **buff, const char **str, int64 *argv);
 
 StringID TTDPStringIDToOTTDStringIDMapping(StringID string);
 
diff --git a/src/strings.cpp b/src/strings.cpp
--- a/src/strings.cpp
+++ b/src/strings.cpp
@@ -554,11 +554,12 @@ static char *FormatString(char *buff, co
 	WChar b;
 	int64 *argv_orig = argv;
 	uint modifier = 0;
+	char *buf_start = buff;
 
 	while ((b = Utf8Consume(&str)) != '\0') {
 		if (SCC_NEWGRF_FIRST <= b && b <= SCC_NEWGRF_LAST) {
 			/* We need to pass some stuff as it might be modified; oh boy. */
-			b = RemapNewGRFStringControlCode(b, &buff, &str, argv);
+			b = RemapNewGRFStringControlCode(b, buf_start, &buff, &str, argv);
 			if (b == 0) continue;
 		}