From f4dcf3a0ed93546958c5fa59dbac32511a6bac0c Mon Sep 17 00:00:00 2001
From: Jessica Tölke <jtoelke@mail.upb.de>
Date: Fri, 12 Apr 2013 23:35:06 +0200
Subject: Fix exploit in Brodomir script due to unexpected behavior of
 delitem/getitem.

- delitem: only deletes one item if applied to not-stackable item (equipment)
- getitem: gives item stacked, even if it's equipment
- fix: use a loop and only delete/give one item at a time
---
 world/map/npc/009-6/brodomir.txt | 33 ++++++++++++++++++++++++++++-----
 1 file changed, 28 insertions(+), 5 deletions(-)

(limited to 'world/map/npc')

diff --git a/world/map/npc/009-6/brodomir.txt b/world/map/npc/009-6/brodomir.txt
index f001efa4..f3fc8399 100644
--- a/world/map/npc/009-6/brodomir.txt
+++ b/world/map/npc/009-6/brodomir.txt
@@ -87,7 +87,15 @@ L_Item:
         goto L_Wait;
     if (countitem(@brodomir_item$) < @brodomir_item_amount)
         goto L_NoItem;
-    delitem @brodomir_item$, @brodomir_item_amount;
+
+    // we need this loop because for items that can't be stacked, delitem can only delete a single one
+    set @loopcounter, @brodomir_item_amount;
+L_Delitem:
+    delitem @brodomir_item$, 1;
+    set @loopcounter, @loopcounter - 1;
+    if (@loopcounter > 0)
+        goto L_Delitem;
+
     set $@BRODOMIR_SPONSOR, getcharid(3);
     goto L_Go;
 
@@ -164,8 +172,17 @@ L_Warpfail:
     mapannounce "009-6.gat", "There are not enough players around to start!", 0;
     if ($@BRODOMIR_ITEM_AMOUNT == 0)
         goto L_Cleanup;
-    if (attachrid($@BRODOMIR_SPONSOR) != 0)
-        getitem $@BRODOMIR_ITEM$, $@BRODOMIR_ITEM_AMOUNT;
+    if (attachrid($@BRODOMIR_SPONSOR) == 0)
+        goto L_SkipItemback;
+
+    // we need this loop because for items that can't be stacked, getitem will stack them nevertheless
+L_GetitemLoop:
+    getitem $@BRODOMIR_ITEM$, 1;
+    set $@BRODOMIR_ITEM_AMOUNT, $@BRODOMIR_ITEM_AMOUNT - 1;
+    if ($@BRODOMIR_ITEM_AMOUNT > 0)
+        goto L_GetitemLoop;
+
+L_SkipItemback:
     set $@BRODOMIR_ITEM_AMOUNT, 0;
     set $@BRODOMIR_ITEM$, "";
     set $@BRODOMIR_SPONSOR, 0;
@@ -182,8 +199,14 @@ onReward:
         goto L_Dead;
     message strcharinfo(0), "Congratulations you won!";
     set Zeny, Zeny + ($@BRODOMIR_MONEY + 150 * $@BRODOMIR_PLAYERS);
-    getitem $@BRODOMIR_ITEM$, $@BRODOMIR_ITEM_AMOUNT;
-    set $@BRODOMIR_ITEM_AMOUNT, 0;
+
+    // we need this loop because for items that can't be stacked, getitem will stack them nevertheless
+L_Getitem:
+    getitem $@BRODOMIR_ITEM$, 1;
+    set $@BRODOMIR_ITEM_AMOUNT, $@BRODOMIR_ITEM_AMOUNT - 1;
+    if ($@BRODOMIR_ITEM_AMOUNT > 0)
+        goto L_Getitem;
+
     set $@BRODOMIR_ITEM$, "";
     set $@BRODOMIR_SPONSOR, 0;
     set $@BRODOMIR_MONEY, 0;
-- 
cgit v1.2.3-60-g2f50