From 7a0dcb7a9845d0fe34a745c04549434731d2adb0 Mon Sep 17 00:00:00 2001
From: Dennis Friis <peavey@placid.dk>
Date: Thu, 10 Apr 2008 17:07:26 +0000
Subject: fix crash in clif_parse_Wis if wrong message length is sent.

---
 src/map/clif.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'src/map/clif.c')

diff --git a/src/map/clif.c b/src/map/clif.c
index 0a6559c..6124c8f 100644
--- a/src/map/clif.c
+++ b/src/map/clif.c
@@ -7735,8 +7735,12 @@ void clif_parse_Restart(int fd, struct map_session_data *sd) {
 void clif_parse_Wis(int fd, struct map_session_data *sd) { // S 0096 <len>.w <nick>.24B <message>.?B // rewritten by [Yor]
 	struct map_session_data *dstsd;
 	int i;
-        int gmlen = strlen(RFIFOP(fd,28));
-        char gmbuf[512];
+	int gmlen = strlen(RFIFOP(fd,28));
+
+	if (RFIFOW(fd,2)-28 <= 0)
+		return;
+
+	char gmbuf[512];
 	char *gm_command = ((gmlen+28) > sizeof(gmbuf)) ? (char *) malloc(gmlen + 28) : gmbuf;
         // 24+3+(RFIFOW(fd,2)-28)+1 or 24+3+(strlen(RFIFOP(fd,28))+1 (size can be wrong with hacker)
 
-- 
cgit v1.2.3-60-g2f50