Added missing checks to stop an infinite free cash point exploit. (bugreport:4139)

git-svn-id: https://rathena.svn.sourceforge.net/svnroot/rathena/trunk@14266 54d463be-8e91-2dee-dedb-b68131a5f0ec

2 files changed, 15 insertions, 0 deletions

diff --git a/Changelog-Trunk.txt b/Changelog-Trunk.txt
index aa1201a79..1caf2df79 100644
--- a/Changelog-Trunk.txt
+++ b/Changelog-Trunk.txt
@@ -3,6 +3,8 @@ Date	Added
 AS OF SVN REV. 5091, WE ARE NOW USING TRUNK.  ALL UNTESTED BUGFIXES/FEATURES GO INTO TRUNK.
 IF YOU HAVE A WORKING AND TESTED BUGFIX PUT IT INTO STABLE AS WELL AS TRUNK.
 
+2010/03/21
+	* Added missing checks to stop an infinite free cash point exploit. (bugreport:4139) [ultramage]
 2010/03/02
 	* Fixed an exploit where the buyer can end the auction himself. [Inkfish]
 2010/02/27
diff --git a/src/map/npc.c b/src/map/npc.c
index e629848fe..15434f357 100644
--- a/src/map/npc.c
+++ b/src/map/npc.c
@@ -1156,6 +1156,12 @@ int npc_cashshop_buy(struct map_session_data *sd, int nameid, int amount, int po
 	struct item_data *item;
 	int i, price, w;
 
+	if( amount <= 0 )
+		return 5;
+
+	if( points < 0 )
+		return 6;
+
 	if( !nd || nd->subtype != CASHSHOP )
 		return 1;
 
@@ -1192,6 +1198,13 @@ int npc_cashshop_buy(struct map_session_data *sd, int nameid, int amount, int po
 	if( w + sd->weight > sd->max_weight )
 		return 3;
 
+	if( (double)nd->u.shop.shop_item[i].value * amount > INT_MAX )
+	{
+		ShowWarning("npc_cashshop_buy: Item '%s' (%d) price overflow attempt!\n", item->name, nameid);
+		ShowDebug("(NPC:'%s' (%s,%d,%d), player:'%s' (%d/%d), value:%d, amount:%d)\n", nd->exname, map[nd->bl.m].name, nd->bl.x, nd->bl.y, sd->status.name, sd->status.account_id, sd->status.char_id, nd->u.shop.shop_item[i].value, amount);
+		return 5;
+	}
+
 	price = nd->u.shop.shop_item[i].value * amount;
 	if( points > price )
 		points = price;