diff options
author | Dastgir <dastgirp@gmail.com> | 2019-10-01 19:51:35 +0530 |
---|---|---|
committer | Dastgir <dastgirp@gmail.com> | 2019-10-02 11:56:43 +0530 |
commit | d3bf0f5d82f83ddd352047318e292194d98454ab (patch) | |
tree | 193767b24b0165b68dd7c0d6f5676d6eea7803f1 /src/map | |
parent | 852c13305f67948531bd0277eb1922dbd02b1f26 (diff) | |
download | hercules-d3bf0f5d82f83ddd352047318e292194d98454ab.tar.gz hercules-d3bf0f5d82f83ddd352047318e292194d98454ab.tar.bz2 hercules-d3bf0f5d82f83ddd352047318e292194d98454ab.tar.xz hercules-d3bf0f5d82f83ddd352047318e292194d98454ab.zip |
Fixed heap-buffer-overflow on npcshopdelitem
npcshopdelitem now moves data within structure size.
Diffstat (limited to 'src/map')
-rw-r--r-- | src/map/script.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/map/script.c b/src/map/script.c index b787d0138..c66ebf481 100644 --- a/src/map/script.c +++ b/src/map/script.c @@ -18030,10 +18030,12 @@ static BUILDIN(npcshopdelitem) unsigned int nameid = script_getnum(st,i); ARR_FIND(0, size, n, nd->u.shop.shop_item[n].nameid == nameid); - if (n < size) { - memmove(&nd->u.shop.shop_item[n], &nd->u.shop.shop_item[n+1], sizeof(nd->u.shop.shop_item[0])*(size-n)); - size--; + if (n == size) { + continue; + } else if (n < size - 1) { + memmove(&nd->u.shop.shop_item[n], &nd->u.shop.shop_item[n+1], sizeof(nd->u.shop.shop_item[0]) * (size - n - 1)); } + size--; } RECREATE(nd->u.shop.shop_item, struct npc_item_list, size); |