From 1eefea00737117706bb6cca5a2882cb2e081d5ab Mon Sep 17 00:00:00 2001
From: Holden Rohrer <hr@hrhr.dev>
Date: Thu, 16 Jul 2020 12:32:48 -0400
Subject: Socket checks coord sizes (esp. to prevent non-list inputs)

---
 socket.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/socket.js b/socket.js
index e49cd28..47e558d 100644
--- a/socket.js
+++ b/socket.js
@@ -48,9 +48,10 @@ class Socket extends retryws {
     });
 
     this.fetch = function(coords){ //coords is a list of min/max pairs of y/x coordinate pairs which each describe at most 1000 tiles
-    //Unchecked for speed
       for (let i=0; i<coords.length; i++){
-        coords[i] = {"minY":coords[i][0][0], "minX":coords[i][0][1], "maxY":coords[i][1][0], "maxX":coords[i][1][1]};
+        let c = coords[i];
+        if ( (c[1][0]-c[0][0]+1) * (c[1][1]-c[0][1]+1) > 1000) throw "Fetch has overlarge rectangular request";
+        coords[i] = {"minY":c[0][0], "minX":c[0][1], "maxY":c[1][0], "maxX":c[1][1]};
       }
       this.send( JSON.stringify({
         "fetchRectangles": coords,
-- 
cgit