# HG changeset patch
# User rubidium
# Date 1186582685 0
# Node ID e8dd555767bdcfb8449e4e9644e632029ca57a00
# Parent  d9bc116f2f54f8462a184862f8c381e1cd5782e4
(svn r10827) -Fix [FS#1112]: out of bounds access in corner case of list allocations of vehicles.

diff -r d9bc116f2f54 -r e8dd555767bd src/oldpool.h
--- a/src/oldpool.h	Tue Aug 07 23:07:10 2007 +0000
+++ b/src/oldpool.h	Wed Aug 08 14:18:05 2007 +0000
@@ -234,22 +234,14 @@
 		return false;
 	}
 
-protected:
-	/**
-	 * Allocate a pool item; possibly allocate a new block in the pool.
-	 * @return the allocated pool item (or NULL when the pool is full).
-	 */
-	static inline T *AllocateRaw()
-	{
-		return AllocateRaw(Tpool->first_free_index);
-	}
-
+private:
 	/**
 	 * Allocate a pool item; possibly allocate a new block in the pool.
 	 * @param first the first pool item to start searching
+	 * @pre first <= Tpool->GetSize()
 	 * @return the allocated pool item (or NULL when the pool is full).
 	 */
-	static inline T *AllocateRaw(uint &first)
+	static inline T *AllocateSafeRaw(uint &first)
 	{
 		uint last_minus_one = Tpool->GetSize() - 1;
 
@@ -270,6 +262,28 @@
 		return NULL;
 	}
 
+protected:
+	/**
+	 * Allocate a pool item; possibly allocate a new block in the pool.
+	 * @return the allocated pool item (or NULL when the pool is full).
+	 */
+	static inline T *AllocateRaw()
+	{
+		return AllocateSafeRaw(Tpool->first_free_index);
+	}
+
+	/**
+	 * Allocate a pool item; possibly allocate a new block in the pool.
+	 * @param first the first pool item to start searching
+	 * @return the allocated pool item (or NULL when the pool is full).
+	 */
+	static inline T *AllocateRaw(uint &first)
+	{
+		if (first >= Tpool->GetSize() && !Tpool->AddBlockToPool()) return NULL;
+
+		return AllocateSafeRaw(first);
+	}
+
 	/**
 	 * Are we cleaning this pool?
 	 * @return true if we are