Subject: fix for vulnerability CVE-2008-3576 for OpenTTD 0.4.5 - 0.4.8 (Buffer overflow in string truncation.)
From: OpenTTD developer team <info@openttd.org>
Origin: backport, https://github.com/OpenTTD/OpenTTD/commit/71820bf
Bug:

Buffer overflow in the TruncateString function allows remote attackers to cause
a denial of service (daemon crash) or possibly execute arbitrary code via a
crafted string.

To trigger this bug a custom language file is needed that is large enough to
exceed the size of the buffer. No released version of OpenTTD has had strings
nearly long enough to trigger this.


Index: gfx.c
===================================================================
--- gfx.c
+++ gfx.c
@@ -256,9 +256,10 @@
 			w += GetCharacterWidth(size, c);

 			if (w >= maxw) {
-				// string got too big... insert dotdotdot
-				ddd_pos[0] = ddd_pos[1] = ddd_pos[2] = '.';
-				ddd_pos[3] = 0;
+				/* string got too big... insert dotdotdot, but make sure we do not
+				 * print anything beyond the string termination character. */
+				for (int i = 0; *ddd_pos != '\0' && i < 3; i++, ddd_pos++) *ddd_pos = '.';
+				*ddd_pos = '\0';
 				return ddd_w;
 			}
 		} else {