From 13b0df653961554f1e64680c763ea34ae84fa8f9 Mon Sep 17 00:00:00 2001 From: Andrei Karas Date: Sun, 18 Sep 2016 01:38:37 +0300 Subject: Add missing checks into trade.c --- src/map/trade.c | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) (limited to 'src/map/trade.c') diff --git a/src/map/trade.c b/src/map/trade.c index d6bdd14e5..6ada188c9 100644 --- a/src/map/trade.c +++ b/src/map/trade.c @@ -118,7 +118,8 @@ void trade_traderequest(struct map_session_data *sd, struct map_session_data *ta * Weird enough, the client should only send 3/4 * and the server is the one that can reply 0~2 *------------------------------------------*/ -void trade_tradeack(struct map_session_data *sd, int type) { +void trade_tradeack(struct map_session_data *sd, int type) +{ struct map_session_data *tsd; nullpo_retv(sd); @@ -217,6 +218,8 @@ int impossible_trade_check(struct map_session_data *sd) if (!sd->deal.item[i].amount) continue; index = sd->deal.item[i].index; + if (index < 0 || index >= MAX_INVENTORY) + return 1; if (inventory[index].amount < sd->deal.item[i].amount) { // if more than the player have -> hack snprintf(message_to_gm, sizeof(message_to_gm), msg_txt(538), sd->status.name, sd->status.account_id); // Hack on trade: character '%s' (account: %d) try to trade more items that he has. @@ -257,6 +260,8 @@ int trade_check(struct map_session_data *sd, struct map_session_data *tsd) struct item_data *data; int trade_i, i, n; + nullpo_ret(sd); + nullpo_ret(tsd); // check zenys value against hackers (Zeny was already checked on time of adding, but you never know when you lost some zeny since then. if(sd->deal.zeny > sd->status.zeny || (tsd->status.zeny > MAX_ZENY - sd->deal.zeny)) return 0; @@ -303,6 +308,8 @@ int trade_check(struct map_session_data *sd, struct map_session_data *tsd) if (!amount) continue; n = tsd->deal.item[trade_i].index; + if (n < 0 || n >= MAX_INVENTORY) + return 0; if (amount > inventory2[n].amount) return 0; // search if it's possible to add item (for full inventory) @@ -336,7 +343,8 @@ int trade_check(struct map_session_data *sd, struct map_session_data *tsd) /*========================================== * Adds an item/qty to the trade window *------------------------------------------*/ -void trade_tradeadditem(struct map_session_data *sd, short index, short amount) { +void trade_tradeadditem(struct map_session_data *sd, short index, short amount) +{ struct map_session_data *target_sd; struct item *item; int trade_i, trade_weight; @@ -456,9 +464,11 @@ void trade_tradeaddzeny(struct map_session_data* sd, int amount) /*========================================== * 'Ok' button on the trade window is pressed. *------------------------------------------*/ -void trade_tradeok(struct map_session_data *sd) { +void trade_tradeok(struct map_session_data *sd) +{ struct map_session_data *target_sd; + nullpo_retv(sd); if(sd->state.deal_locked || !sd->state.trading) return; @@ -475,10 +485,12 @@ void trade_tradeok(struct map_session_data *sd) { /*========================================== * 'Cancel' is pressed. (or trade was force-canceled by the code) *------------------------------------------*/ -void trade_tradecancel(struct map_session_data *sd) { +void trade_tradecancel(struct map_session_data *sd) +{ struct map_session_data *target_sd; int trade_i; + nullpo_retv(sd); target_sd = map->id2sd(sd->trade_partner); if(!sd->state.trading) @@ -533,11 +545,13 @@ void trade_tradecancel(struct map_session_data *sd) { /*========================================== * lock sd and tsd trade data, execute the trade, clear, then save players *------------------------------------------*/ -void trade_tradecommit(struct map_session_data *sd) { +void trade_tradecommit(struct map_session_data *sd) +{ struct map_session_data *tsd; int trade_i; int flag; + nullpo_retv(sd); if (!sd->state.trading || !sd->state.deal_locked) //Locked should be 1 (pressed ok) before you can press trade. return; -- cgit v1.2.3-60-g2f50