2 files changed, 8 insertions, 6 deletions

diff --git a/src/char/char.c b/src/char/char.c
index 91d0870d1..e991aafcc 100644
--- a/src/char/char.c
+++ b/src/char/char.c
@@ -2117,7 +2117,7 @@ void char_mmo_char_send_slots_info(int fd, struct char_session_data* sd) {
 	WFIFOW(fd,2) = 29;
 	WFIFOB(fd,4) = sd->char_slots;
 	WFIFOB(fd,5) = MAX_CHARS - sd->char_slots;
-	WFIFOB(fd,6) = MAX_CHARS - sd->char_slots;
+	WFIFOB(fd,6) = 0;
 	WFIFOB(fd,7) = sd->char_slots;
 	WFIFOB(fd,8) = sd->char_slots;
 	memset(WFIFOP(fd,9), 0, 20); // unused bytes
diff --git a/src/char/inter.c b/src/char/inter.c
index 5b81a4732..87ecb4e6a 100644
--- a/src/char/inter.c
+++ b/src/char/inter.c
@@ -1186,7 +1186,7 @@ int mapif_parse_Registry(int fd)
 
 	if( count ) {
 		int cursor = 14, i;
-		char key[32], sval[254];
+		char key[SCRIPT_VARNAME_LENGTH+1], sval[254];
 		bool isLoginActive = sockt->session_is_active(chr->login_fd);
 
 		if( isLoginActive )
@@ -1194,8 +1194,9 @@ int mapif_parse_Registry(int fd)
 
 		for(i = 0; i < count; i++) {
 			unsigned int index;
-			safestrncpy(key, (char*)RFIFOP(fd, cursor + 1), RFIFOB(fd, cursor));
-			cursor += RFIFOB(fd, cursor) + 1;
+			int len = RFIFOB(fd, cursor);
+			safestrncpy(key, (char*)RFIFOP(fd, cursor + 1), min((int)sizeof(key), len));
+			cursor += len + 1;
 
 			index = RFIFOL(fd, cursor);
 			cursor += 4;
@@ -1211,8 +1212,9 @@ int mapif_parse_Registry(int fd)
 					break;
 				/* str */
 				case 2:
-					safestrncpy(sval, (char*)RFIFOP(fd, cursor + 1), RFIFOB(fd, cursor));
-					cursor += RFIFOB(fd, cursor) + 1;
+					len = RFIFOB(fd, cursor);
+					safestrncpy(sval, (char*)RFIFOP(fd, cursor + 1), min((int)sizeof(sval), len));
+					cursor += len + 1;
 					inter->savereg(account_id,char_id,key,index,(intptr_t)sval,true);
 					break;
 				case 3: