From 652f2cca31626806dc536b4ee3d18aa1d654f569 Mon Sep 17 00:00:00 2001
From: Andrei Karas <akaras@inbox.ru>
Date: Mon, 8 May 2017 19:34:50 +0300
Subject: Fix crash in cart and fix different use after free in item options.

---
 src/net/ea/inventoryitem.h        | 22 +++++++++++++++++++++-
 src/net/eathena/inventoryrecv.cpp |  4 ++++
 2 files changed, 25 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/net/ea/inventoryitem.h b/src/net/ea/inventoryitem.h
index da0f63283..193500d60 100644
--- a/src/net/ea/inventoryitem.h
+++ b/src/net/ea/inventoryitem.h
@@ -92,11 +92,31 @@ class InventoryItem final
                 cards[f] = cards0[f];
         }
 
+        InventoryItem(const InventoryItem &c) :
+            slot(c.slot),
+            id(c.id),
+            type(c.type),
+            cards(),
+            options(ItemOptionsList::copy(c.options)),
+            quantity(c.quantity),
+            refine(c.refine),
+            color(c.color),
+            identified(c.identified),
+            damaged(c.damaged),
+            favorite(c.favorite),
+            equip(c.equip)
+        {
+            if (!c.cards)
+                return;
+            for (int f = 0; f < 4; f ++)
+                cards[f] = c.cards[f];
+        }
+
         A_DEFAULT_COPY(InventoryItem)
 
         ~InventoryItem()
         {
-            delete [] options;
+            delete options;
         }
 };
 
diff --git a/src/net/eathena/inventoryrecv.cpp b/src/net/eathena/inventoryrecv.cpp
index d068b674a..5403e773b 100644
--- a/src/net/eathena/inventoryrecv.cpp
+++ b/src/net/eathena/inventoryrecv.cpp
@@ -727,6 +727,7 @@ void InventoryRecv::processPlayerStorageEquip(Net::MessageIn &msg)
             fromBool(flags.bits.isDamaged, Damaged),
             fromBool(flags.bits.isFavorite, Favorite),
             Equipm_false));
+        delete options;
     }
     BLOCK_END("InventoryRecv::processPlayerStorageEquip")
 }
@@ -787,6 +788,7 @@ void InventoryRecv::processPlayerStorageAdd(Net::MessageIn &msg)
             Ea::InventoryRecv::mStorage->setOptions(index, options);
         }
     }
+    delete options;
     BLOCK_END("InventoryRecv::processPlayerStorageAdd")
 }
 
@@ -1009,6 +1011,7 @@ void InventoryRecv::processPlayerCartAdd(Net::MessageIn &msg)
             Favorite_false,
             Equipm_false));
     }
+    delete options;
     BLOCK_END("InventoryRecv::processPlayerCartAdd")
 }
 
@@ -1091,6 +1094,7 @@ void InventoryRecv::processPlayerCartEquip(Net::MessageIn &msg)
             fromBool(flags.bits.isDamaged, Damaged),
             fromBool(flags.bits.isFavorite, Favorite),
             Equipm_false));
+        delete options;
     }
     BLOCK_END("InventoryRecv::processPlayerCartEquip")
 }
-- 
cgit v1.2.3-60-g2f50