summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHaru <haru@dotalux.com>2015-12-06 15:42:56 +0100
committerHaru <haru@dotalux.com>2015-12-06 15:42:56 +0100
commite711753b9d584845e385ada29780b9ed216c4f55 (patch)
tree0d97a15dd8997fe4ab2775464309aeccad388355
parentfd032f5331018aba6986dfb5f7913ffb6cfe45f4 (diff)
downloadhercules-e711753b9d584845e385ada29780b9ed216c4f55.tar.gz
hercules-e711753b9d584845e385ada29780b9ed216c4f55.tar.bz2
hercules-e711753b9d584845e385ada29780b9ed216c4f55.tar.xz
hercules-e711753b9d584845e385ada29780b9ed216c4f55.zip
Fixed a validation issue in the NPC Sell List
Signed-off-by: Haru <haru@dotalux.com>
-rw-r--r--src/map/npc.c18
1 files changed, 13 insertions, 5 deletions
diff --git a/src/map/npc.c b/src/map/npc.c
index 8a7998931..3bd14bf41 100644
--- a/src/map/npc.c
+++ b/src/map/npc.c
@@ -2076,6 +2076,7 @@ int npc_selllist(struct map_session_data* sd, int n, unsigned short* item_list)
double z;
int i,skill_t, skill_idx = skill->get_index(MC_OVERCHARGE);
struct npc_data *nd;
+ bool duplicates[MAX_INVENTORY] = { 0 };
nullpo_retr(1, sd);
nullpo_retr(1, item_list);
@@ -2092,29 +2093,36 @@ int npc_selllist(struct map_session_data* sd, int n, unsigned short* item_list)
z = 0;
// verify the sell list
- for( i = 0; i < n; i++ ) {
+ for (i = 0; i < n; i++) {
int nameid, amount, idx, value;
idx = item_list[i*2]-2;
amount = item_list[i*2+1];
- if( idx >= MAX_INVENTORY || idx < 0 || amount < 0 ) {
+ if (idx >= MAX_INVENTORY || idx < 0 || amount < 0) {
+ return 1;
+ }
+
+ if (duplicates[idx]) {
+ // Sanity check. The client sends each inventory index at most once [Haru]
return 1;
}
+ duplicates[idx] = true;
nameid = sd->status.inventory[idx].nameid;
- if( !nameid || !sd->inventory_data[idx] || sd->status.inventory[idx].amount < amount ) {
+ if (!nameid || !sd->inventory_data[idx] || sd->status.inventory[idx].amount < amount) {
return 1;
}
- if( nd->master_nd ) {// Script-controlled shops decide by themselves, what can be sold and at what price.
+ if (nd->master_nd) {
+ // Script-controlled shops decide by themselves, what can be sold and at what price.
continue;
}
value = pc->modifysellvalue(sd, sd->inventory_data[idx]->value_sell);
- z+= (double)value*amount;
+ z += (double)value*amount;
}
if( nd->master_nd ) { // Script-controlled shops