From 1870f99f285b3aee1e6dbffaa29a23c1f27d9080 Mon Sep 17 00:00:00 2001 From: ultramage Date: Sun, 21 Mar 2010 10:08:40 +0000 Subject: Added missing checks to stop an infinite free cash point exploit. (bugreport:4139) git-svn-id: https://rathena.svn.sourceforge.net/svnroot/rathena/trunk@14266 54d463be-8e91-2dee-dedb-b68131a5f0ec --- src/map/npc.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'src') diff --git a/src/map/npc.c b/src/map/npc.c index e629848fe..15434f357 100644 --- a/src/map/npc.c +++ b/src/map/npc.c @@ -1156,6 +1156,12 @@ int npc_cashshop_buy(struct map_session_data *sd, int nameid, int amount, int po struct item_data *item; int i, price, w; + if( amount <= 0 ) + return 5; + + if( points < 0 ) + return 6; + if( !nd || nd->subtype != CASHSHOP ) return 1; @@ -1192,6 +1198,13 @@ int npc_cashshop_buy(struct map_session_data *sd, int nameid, int amount, int po if( w + sd->weight > sd->max_weight ) return 3; + if( (double)nd->u.shop.shop_item[i].value * amount > INT_MAX ) + { + ShowWarning("npc_cashshop_buy: Item '%s' (%d) price overflow attempt!\n", item->name, nameid); + ShowDebug("(NPC:'%s' (%s,%d,%d), player:'%s' (%d/%d), value:%d, amount:%d)\n", nd->exname, map[nd->bl.m].name, nd->bl.x, nd->bl.y, sd->status.name, sd->status.account_id, sd->status.char_id, nd->u.shop.shop_item[i].value, amount); + return 5; + } + price = nd->u.shop.shop_item[i].value * amount; if( points > price ) points = price; -- cgit v1.2.3-70-g09d2