From 3e53a34615c2535dbed3d7c2c7a00f1ef3eaff0a Mon Sep 17 00:00:00 2001
From: shennetsind <ind@henn.et>
Date: Sat, 17 Jan 2015 18:49:03 -0200
Subject: Another ~10 Fixes

Addressing out of bounds read/write.
Special Thanks to 4144 and Haruna!

Signed-off-by: shennetsind <ind@henn.et>
---
 src/map/battle.c | 2 +-
 src/map/duel.c   | 2 +-
 src/map/itemdb.c | 2 +-
 src/map/npc.c    | 3 ++-
 src/map/path.c   | 6 ++++++
 src/map/script.c | 2 +-
 src/map/skill.c  | 3 ++-
 src/map/unit.c   | 4 ++--
 8 files changed, 16 insertions(+), 8 deletions(-)

(limited to 'src/map')

diff --git a/src/map/battle.c b/src/map/battle.c
index 998fad0af..7e7317935 100644
--- a/src/map/battle.c
+++ b/src/map/battle.c
@@ -303,7 +303,7 @@ int battle_attr_ratio(int atk_elem,int def_type, int def_lv)
 	if (atk_elem < 0 || atk_elem >= ELE_MAX)
 		return 100;
 
-	if (def_type < 0 || def_type > ELE_MAX || def_lv < 1 || def_lv > 4)
+	if (def_type < 0 || def_type >= ELE_MAX || def_lv < 1 || def_lv > 4)
 		return 100;
 
 	return battle->attr_fix_table[def_lv-1][atk_elem][def_type];
diff --git a/src/map/duel.c b/src/map/duel.c
index 0ae2770c4..98fa91d3e 100644
--- a/src/map/duel.c
+++ b/src/map/duel.c
@@ -80,7 +80,7 @@ int duel_create(struct map_session_data* sd, const unsigned int maxpl) {
 	int i=1;
 	char output[256];
 	
-	while(duel->list[i].members_count > 0 && i < MAX_DUEL) i++;
+	while(i < MAX_DUEL && duel->list[i].members_count > 0) i++;
 	if(i == MAX_DUEL) return 0;
 	
 	duel->count++;
diff --git a/src/map/itemdb.c b/src/map/itemdb.c
index 8b6dfba63..b537d69be 100644
--- a/src/map/itemdb.c
+++ b/src/map/itemdb.c
@@ -2242,7 +2242,7 @@ void itemdb_reload(void) {
 			if (k == MAX_SEARCH)
 				continue;
 			
-			if (id->mob[k].id != i)
+			if (id->mob[k].id != i && k != MAX_SEARCH - 1)
 				memmove(&id->mob[k+1], &id->mob[k], (MAX_SEARCH-k-1)*sizeof(id->mob[0]));
 			id->mob[k].chance = entry->dropitem[d].p;
 			id->mob[k].id = i;
diff --git a/src/map/npc.c b/src/map/npc.c
index 28709d34f..8ecefb5a0 100644
--- a/src/map/npc.c
+++ b/src/map/npc.c
@@ -3605,7 +3605,8 @@ const char* npc_parse_mob(char* w1, char* w2, char* w3, char* w4, const char* st
 		}
 		if (mobspawn.num > db->spawn[i].qty) {
 			//Insert into list
-			memmove(&db->spawn[i+1], &db->spawn[i], sizeof(db->spawn) -(i+1)*sizeof(db->spawn[0]));
+			if( i != ARRAYLENGTH(db->spawn) - 1 )
+				memmove(&db->spawn[i+1], &db->spawn[i], sizeof(db->spawn) -(i+1)*sizeof(db->spawn[0]));
 			db->spawn[i].mapindex = map_id2index(mobspawn.m);
 			db->spawn[i].qty = mobspawn.num;
 			break;
diff --git a/src/map/path.c b/src/map/path.c
index a7315da3c..600dfc082 100644
--- a/src/map/path.c
+++ b/src/map/path.c
@@ -255,6 +255,12 @@ bool path_search(struct walkpath_data *wpd, int16 m, int16 x0, int16 y0, int16 x
 	// Check destination cell
 	if (x1 < 0 || x1 >= md->xs || y1 < 0 || y1 >= md->ys || md->getcellp(md,x1,y1,cell))
 		return false;
+	
+	if( x0 == x1 && y0 == y1 ) {
+		wpd->path_len = 0;
+		wpd->path_pos = 0;
+		return true;
+	}
 
 	if (flag&1) {
 		// Try finding direct path to target
diff --git a/src/map/script.c b/src/map/script.c
index 612bfa69e..2249d53cc 100644
--- a/src/map/script.c
+++ b/src/map/script.c
@@ -12421,7 +12421,7 @@ BUILDIN(getinventorylist){
 
 BUILDIN(getcartinventorylist){
 	TBL_PC *sd=script->rid2sd(st);
-	char card_var[NAME_LENGTH];
+	char card_var[26];
 
 	int i,j=0,k;
 	if(!sd) return true;
diff --git a/src/map/skill.c b/src/map/skill.c
index 749f06799..8c1d7e1e5 100644
--- a/src/map/skill.c
+++ b/src/map/skill.c
@@ -10877,7 +10877,7 @@ int skill_castend_pos2(struct block_list* src, int x, int y, uint16 skill_id, ui
 
 		case SO_FIREWALK:
 		case SO_ELECTRICWALK:
-			if( sc && sc->data[type] )
+			if( sce )
 				status_change_end(src,type,INVALID_TIMER);
 			clif->skill_nodamage(src, src ,skill_id, skill_lv,
 								sc_start2(src,src, type, 100, skill_id, skill_lv, skill->get_time(skill_id, skill_lv)));
@@ -18849,6 +18849,7 @@ bool skill_parse_row_improvisedb(char* split[], int columns, int current) {
 	}
 	if( current >= MAX_SKILL_IMPROVISE_DB ) {
 		ShowError("skill_improvise_db: Maximum amount of entries reached (%d), increase MAX_SKILL_IMPROVISE_DB\n",MAX_SKILL_IMPROVISE_DB);
+		return false;
 	}
 	skill->improvise_db[current].skill_id = skill_id;
 	skill->improvise_db[current].per = j; // Still need confirm it.
diff --git a/src/map/unit.c b/src/map/unit.c
index 7f41f4709..a6edef408 100644
--- a/src/map/unit.c
+++ b/src/map/unit.c
@@ -1971,8 +1971,8 @@ bool unit_can_reach_bl(struct block_list *bl,struct block_list *tbl, int range,
 
 	if (map->getcell(tbl->m,tbl->x-dx,tbl->y-dy,CELL_CHKNOPASS)) {
 		//Look for a suitable cell to place in.
-		for(i=0;i<9 && map->getcell(tbl->m,tbl->x-dirx[i],tbl->y-diry[i],CELL_CHKNOPASS);i++);
-		if (i==9) return false; //No valid cells.
+		for(i=0;i<8 && map->getcell(tbl->m,tbl->x-dirx[i],tbl->y-diry[i],CELL_CHKNOPASS);i++);
+		if (i==8) return false; //No valid cells.
 		dx = dirx[i];
 		dy = diry[i];
 	}
-- 
cgit v1.2.3-60-g2f50