# HG changeset patch
# User smatz <smatz@openttd.org>
# Date 2010-02-01 00:10:52
# Node ID f8ebcffe264b36392308f12c86cc903ad3235e77
# Parent  5a7b6bd2710b44559975d6519d46fa0a9a4f8c46

(svn r18978) -Fix [FS#3584](r14753): possible invalid memory access when merging companies

diff --git a/src/vehicle.cpp b/src/vehicle.cpp
--- a/src/vehicle.cpp
+++ b/src/vehicle.cpp
@@ -1209,10 +1209,10 @@ FreeUnitIDGenerator::FreeUnitIDGenerator
 
 	if (this->maxid == 0) return;
 
-	this->maxid++; // so there is space for last item (with v->unitnumber == maxid)
-	this->maxid++; // this one will always be free (well, it will fail when there are 65535 units, so this overflows)
-
-	this->cache = CallocT<bool>(this->maxid);
+	/* Reserving 'maxid + 2' because we need:
+	 * - space for the last item (with v->unitnumber == maxid)
+	 * - one free slot working as loop terminator in FreeUnitIDGenerator::NextID() */
+	this->cache = CallocT<bool>(this->maxid + 2);
 
 	/* Fill the cache */
 	FOR_ALL_VEHICLES(v) {