summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrei Karas <akaras@inbox.ru>2017-09-05 02:18:18 +0300
committerAndrei Karas <akaras@inbox.ru>2017-09-05 21:32:13 +0300
commitcb2924a3d4cf138587daff750b5278e9d30975e6 (patch)
treeed339d49a62b7a7f9296746096e848256d7c4cb2
parent494cb78c98e2e72fa81932462dce22c2beafda96 (diff)
downloadhercules-cb2924a3d4cf138587daff750b5278e9d30975e6.tar.gz
hercules-cb2924a3d4cf138587daff750b5278e9d30975e6.tar.bz2
hercules-cb2924a3d4cf138587daff750b5278e9d30975e6.tar.xz
hercules-cb2924a3d4cf138587daff750b5278e9d30975e6.zip
Add missing checks in attaching item to rodex mail.
Also fix buffer overflow in requesting items from rodex mail.
-rw-r--r--src/map/rodex.c31
1 files changed, 26 insertions, 5 deletions
diff --git a/src/map/rodex.c b/src/map/rodex.c
index c041ecc6b..63d7242db 100644
--- a/src/map/rodex.c
+++ b/src/map/rodex.c
@@ -263,17 +263,38 @@ int rodex_send_mail(struct map_session_data *sd, const char *receiver_name, cons
for (i = 0; i < RODEX_MAX_ITEM; i++) {
int16 idx = sd->rodex.tmp.items[i].idx;
+ int j;
+ struct item *tmpItem = &sd->rodex.tmp.items[i].item;
+ struct item *invItem = &sd->status.inventory[idx];
- if (sd->rodex.tmp.items[i].item.nameid == 0)
+ if (tmpItem->nameid == 0)
continue;
- if (sd->rodex.tmp.items[i].item.nameid != sd->status.inventory[idx].nameid
- || sd->rodex.tmp.items[i].item.unique_id != sd->status.inventory[idx].unique_id
- || sd->rodex.tmp.items[i].item.amount > sd->status.inventory[idx].amount
- || sd->rodex.tmp.items[i].item.amount < 1) {
+ if (tmpItem->nameid != invItem->nameid ||
+ tmpItem->unique_id != invItem->unique_id ||
+ tmpItem->refine != invItem->refine ||
+ tmpItem->attribute != invItem->attribute ||
+ tmpItem->expire_time != invItem->expire_time ||
+ tmpItem->bound != invItem->bound ||
+ tmpItem->amount > invItem->amount ||
+ tmpItem->amount < 1) {
rodex->clean(sd, 1);
return RODEX_SEND_MAIL_ITEM_ERROR;
}
+ for (j = 0; j < MAX_SLOTS; j++) {
+ if (tmpItem->card[j] != invItem->card[j]) {
+ rodex->clean(sd, 1);
+ return RODEX_SEND_MAIL_ITEM_ERROR;
+ }
+ }
+ for (j = 0; j < MAX_ITEM_OPTIONS; j++) {
+ if (tmpItem->option[j].index != invItem->option[j].index ||
+ tmpItem->option[j].value != invItem->option[j].value ||
+ tmpItem->option[j].param != invItem->option[j].param) {
+ rodex->clean(sd, 1);
+ return RODEX_SEND_MAIL_ITEM_ERROR;
+ }
+ }
}
if (total_zeny > 0 && pc->payzeny(sd, (int)total_zeny, LOG_TYPE_MAIL, NULL) != 0) {