From e192da5316e5617a5fd597d4de9181a36b5e4c2e Mon Sep 17 00:00:00 2001
From: Mattes D <github@xoft.cz>
Date: Sun, 21 Dec 2014 22:25:01 +0100
Subject: FastNBT: Added a sanity check for number of list items.

Fixes CID 55812.
---
 src/WorldStorage/FastNBT.cpp | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/WorldStorage/FastNBT.cpp b/src/WorldStorage/FastNBT.cpp
index ed8e8bb14..aaef2fdfe 100644
--- a/src/WorldStorage/FastNBT.cpp
+++ b/src/WorldStorage/FastNBT.cpp
@@ -10,6 +10,13 @@
 
 
 
+/** If a list being loaded has more than this number of items, it's considered corrupted. */
+static const int MAX_LIST_ITEMS = 10000;
+
+
+
+
+
 // The number of NBT tags that are reserved when an NBT parsing is started.
 // You can override this by using a cmdline define
 #ifndef NBT_RESERVE_SIZE
@@ -142,7 +149,7 @@ bool cParsedNBT::ReadList(eTagType a_ChildrenType)
 	NEEDBYTES(4);
 	int Count = GetBEInt(m_Data + m_Pos);
 	m_Pos += 4;
-	if (Count < 0)
+	if ((Count < 0) || (Count > MAX_LIST_ITEMS))
 	{
 		return false;
 	}
-- 
cgit v1.2.3