Hello Teeworlds dev team, There is an integer overflow bug in CDataFileReader::Open() which can lead to a buffer overflow and possibly RCE. The integer overflow(s) occurs when calculating the Size and AllocSize. ```C++ unsigned Size = 0; Size += Header.m_NumItemTypessizeof(CDatafileItemType); Size += (Header.m_NumItems+Header.m_NumRawData)sizeof(int); if(Header.m_Version == 4) Size += Header.m_NumRawData*sizeof(int); // v4 has uncompressed data sizes aswell Size += Header.m_Ite...

Hello Teeworlds dev team, There is an integer overflow in CMap::Load() which can lead to a buffer overflow. ```C++ CTile *pTiles = static_cast<CTile *>(mem_alloc(pTilemap->m_Width * pTilemap->m_Height * sizeof(CTile), 1)); // extract original tile data int i = 0; CTile *pSavedTiles = static_cast<CTile *>(m_DataFile.GetData(pTilemap->m_Data)); while(i < pTilemap->m_Width * pTilemap->m_Height) { for(unsigned Counter = 0; Counter <= pSavedTiles->m_Skip && i < pTilemap->m_Widt...

Fix a number of small code issues gathered recently, a few from. Related to https://github.com/teeworlds/teeworlds/issues/1120 and https://github.com/teeworlds/teeworlds/issues/2009

Hello Teeworlds dev team, There is a failed bounds check in CDataFileReader::GetData() and CDataFileReader::ReplaceData() and related functions which can lead to an arbitrary free and OOB pointer write and possibly leading to RCE. ```C++ void *CDataFileReader::GetData(int Index) { return GetDataImpl(Index, 0); } void CDataFileReader::ReplaceData(int Index, char *pData) { // make sure the data has been loaded GetDataImpl(Index, 0); UnloadData(Index); m_pDataFile->m_ppD...

b31557a Small code fixes - Dune-jr 995ba19 Merge pull request #2072 from Dune-jr/code-fixes - oy

d436fdb added some online checks before trying to send ... - oy 975baec made it possible to change the skin ingame. clo... - oy 132cfa7 Merge branch 'master' of https://github.com/tee... - oy