From 1870f99f285b3aee1e6dbffaa29a23c1f27d9080 Mon Sep 17 00:00:00 2001
From: ultramage <ultramage@54d463be-8e91-2dee-dedb-b68131a5f0ec>
Date: Sun, 21 Mar 2010 10:08:40 +0000
Subject: Added missing checks to stop an infinite free cash point exploit.
 (bugreport:4139)

git-svn-id: https://rathena.svn.sourceforge.net/svnroot/rathena/trunk@14266 54d463be-8e91-2dee-dedb-b68131a5f0ec
---
 src/map/npc.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'src/map')

diff --git a/src/map/npc.c b/src/map/npc.c
index e629848fe..15434f357 100644
--- a/src/map/npc.c
+++ b/src/map/npc.c
@@ -1156,6 +1156,12 @@ int npc_cashshop_buy(struct map_session_data *sd, int nameid, int amount, int po
 	struct item_data *item;
 	int i, price, w;
 
+	if( amount <= 0 )
+		return 5;
+
+	if( points < 0 )
+		return 6;
+
 	if( !nd || nd->subtype != CASHSHOP )
 		return 1;
 
@@ -1192,6 +1198,13 @@ int npc_cashshop_buy(struct map_session_data *sd, int nameid, int amount, int po
 	if( w + sd->weight > sd->max_weight )
 		return 3;
 
+	if( (double)nd->u.shop.shop_item[i].value * amount > INT_MAX )
+	{
+		ShowWarning("npc_cashshop_buy: Item '%s' (%d) price overflow attempt!\n", item->name, nameid);
+		ShowDebug("(NPC:'%s' (%s,%d,%d), player:'%s' (%d/%d), value:%d, amount:%d)\n", nd->exname, map[nd->bl.m].name, nd->bl.x, nd->bl.y, sd->status.name, sd->status.account_id, sd->status.char_id, nd->u.shop.shop_item[i].value, amount);
+		return 5;
+	}
+
 	price = nd->u.shop.shop_item[i].value * amount;
 	if( points > price )
 		points = price;
-- 
cgit v1.2.3-60-g2f50