diff options
author | Dennis Friis <peavey@placid.dk> | 2008-04-10 17:07:26 +0000 |
---|---|---|
committer | Dennis Friis <peavey@placid.dk> | 2008-04-10 17:07:26 +0000 |
commit | 7a0dcb7a9845d0fe34a745c04549434731d2adb0 (patch) | |
tree | 27f9577602fb7cde0881a4aa366923c4f680dbc2 /src/map | |
parent | fd7f5e8feda49fd7724e96e366f8770f6f7cfe66 (diff) | |
download | tmwa-7a0dcb7a9845d0fe34a745c04549434731d2adb0.tar.gz tmwa-7a0dcb7a9845d0fe34a745c04549434731d2adb0.tar.bz2 tmwa-7a0dcb7a9845d0fe34a745c04549434731d2adb0.tar.xz tmwa-7a0dcb7a9845d0fe34a745c04549434731d2adb0.zip |
fix crash in clif_parse_Wis if wrong message length is sent.
Diffstat (limited to 'src/map')
-rw-r--r-- | src/map/clif.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/map/clif.c b/src/map/clif.c index 0a6559c..6124c8f 100644 --- a/src/map/clif.c +++ b/src/map/clif.c @@ -7735,8 +7735,12 @@ void clif_parse_Restart(int fd, struct map_session_data *sd) { void clif_parse_Wis(int fd, struct map_session_data *sd) { // S 0096 <len>.w <nick>.24B <message>.?B // rewritten by [Yor] struct map_session_data *dstsd; int i; - int gmlen = strlen(RFIFOP(fd,28)); - char gmbuf[512]; + int gmlen = strlen(RFIFOP(fd,28)); + + if (RFIFOW(fd,2)-28 <= 0) + return; + + char gmbuf[512]; char *gm_command = ((gmlen+28) > sizeof(gmbuf)) ? (char *) malloc(gmlen + 28) : gmbuf; // 24+3+(RFIFOW(fd,2)-28)+1 or 24+3+(strlen(RFIFOP(fd,28))+1 (size can be wrong with hacker) |