[Crash]: Nullptr dereference can occur in check for whether RealSpriteGroup contains only one value

Question

[Crash]: Nullptr dereference can occur in check for whether RealSpriteGroup contains only one value

Closed this issue 25 days ago · 0 comments

Version of OpenTTD

Steps to reproduce

In newgrf.cpp

if (std::adjacent_find(loaded.begin(),  loaded.end(),  std::not_equal_to<>()) == loaded.end() &&
	std::adjacent_find(loading.begin(), loading.end(), std::not_equal_to<>()) == loading.end() &&
	loaded[0] == loading[0])

If on or other of these is empty, and the other has at least two entries which are all the same, then the prior num_loaded + num_loading == 0 and num_loaded + num_loading == 1 cases aren't met, and then loaded[0]/loading[0] can index into an empty vector (i.e. nullptr dereference).

Upload crash files

I don't have access to the GRF(s) which generated the crash report which highlighted this issue.