diff --git a/src/newgrf.cpp b/src/newgrf.cpp index ef8ec93ace..786c5f3734 100644 --- a/src/newgrf.cpp +++ b/src/newgrf.cpp @@ -2494,6 +2494,11 @@ static ChangeInfoResult RailTypeChangeInfo(uint id, int numinfo, int prop, ByteR extern RailtypeInfo _railtypes[RAILTYPE_END]; + if (id + numinfo > RAILTYPE_END) { + grfmsg(1, "RailTypeChangeInfo: Rail type %u is invalid, max %u, ignoring", id + numinfo, RAILTYPE_END); + return CIR_INVALID_ID; + } + for (int i = 0; i < numinfo; i++) { RailType rt = _cur_grffile->railtype_map[id + i]; if (rt == INVALID_RAILTYPE) return CIR_INVALID_ID; @@ -2589,6 +2594,11 @@ static ChangeInfoResult RailTypeReserveInfo(uint id, int numinfo, int prop, Byte { ChangeInfoResult ret = CIR_SUCCESS; + if (id + numinfo > RAILTYPE_END) { + grfmsg(1, "RailTypeReserveInfo: Rail type %u is invalid, max %u, ignoring", id + numinfo, RAILTYPE_END); + return CIR_INVALID_ID; + } + for (int i = 0; i < numinfo; i++) { switch (prop) { case 0x08: // Label of rail type