fix crash in clif_parse_Wis if wrong message length is sent.

author: Dennis Friis <peavey@placid.dk> 2008-04-10 17:07:26 +0000
committer: Dennis Friis <peavey@placid.dk> 2008-04-10 17:07:26 +0000
commit: 7a0dcb7a9845d0fe34a745c04549434731d2adb0 (patch)
tree: 27f9577602fb7cde0881a4aa366923c4f680dbc2 /src/map/clif.c
parent: fd7f5e8feda49fd7724e96e366f8770f6f7cfe66 (diff)
download: tmwa-7a0dcb7a9845d0fe34a745c04549434731d2adb0.tar.gz
tmwa-7a0dcb7a9845d0fe34a745c04549434731d2adb0.tar.bz2
tmwa-7a0dcb7a9845d0fe34a745c04549434731d2adb0.tar.xz
tmwa-7a0dcb7a9845d0fe34a745c04549434731d2adb0.zip
1 files changed, 6 insertions, 2 deletions
diff --git a/src/map/clif.c b/src/map/clif.c
index 0a6559c..6124c8f 100644
--- a/src/map/clif.c
+++ b/src/map/clif.c
@@ -7735,8 +7735,12 @@ void clif_parse_Restart(int fd, struct map_session_data *sd) {
 void clif_parse_Wis(int fd, struct map_session_data *sd) { // S 0096 <len>.w <nick>.24B <message>.?B // rewritten by [Yor]
 	struct map_session_data *dstsd;
 	int i;
-        int gmlen = strlen(RFIFOP(fd,28));
-        char gmbuf[512];
+	int gmlen = strlen(RFIFOP(fd,28));
+
+	if (RFIFOW(fd,2)-28 <= 0)
+		return;
+
+	char gmbuf[512];
 	char *gm_command = ((gmlen+28) > sizeof(gmbuf)) ? (char *) malloc(gmlen + 28) : gmbuf;
         // 24+3+(RFIFOW(fd,2)-28)+1 or 24+3+(strlen(RFIFOP(fd,28))+1 (size can be wrong with hacker)
author	Dennis Friis <peavey@placid.dk>	2008-04-10 17:07:26 +0000
committer	Dennis Friis <peavey@placid.dk>	2008-04-10 17:07:26 +0000
commit	7a0dcb7a9845d0fe34a745c04549434731d2adb0 (patch)
tree	27f9577602fb7cde0881a4aa366923c4f680dbc2 /src/map/clif.c
parent	fd7f5e8feda49fd7724e96e366f8770f6f7cfe66 (diff)
download	tmwa-7a0dcb7a9845d0fe34a745c04549434731d2adb0.tar.gz tmwa-7a0dcb7a9845d0fe34a745c04549434731d2adb0.tar.bz2 tmwa-7a0dcb7a9845d0fe34a745c04549434731d2adb0.tar.xz tmwa-7a0dcb7a9845d0fe34a745c04549434731d2adb0.zip