diff options
| author | Andrei Karas <akaras@inbox.ru> | 2017-09-05 02:18:18 +0300 |
|---|---|---|
| committer | Andrei Karas <akaras@inbox.ru> | 2017-09-05 21:32:13 +0300 |
| commit | cb2924a3d4cf138587daff750b5278e9d30975e6 (patch) | |
| tree | ed339d49a62b7a7f9296746096e848256d7c4cb2 /src/map | |
| parent | 494cb78c98e2e72fa81932462dce22c2beafda96 (diff) | |
| download | hercules-cb2924a3d4cf138587daff750b5278e9d30975e6.tar.gz hercules-cb2924a3d4cf138587daff750b5278e9d30975e6.tar.bz2 hercules-cb2924a3d4cf138587daff750b5278e9d30975e6.tar.xz hercules-cb2924a3d4cf138587daff750b5278e9d30975e6.zip | |
Add missing checks in attaching item to rodex mail.
Also fix buffer overflow in requesting items from rodex mail.
Diffstat (limited to 'src/map')
| -rw-r--r-- | src/map/rodex.c | 31 |
1 files changed, 26 insertions, 5 deletions
diff --git a/src/map/rodex.c b/src/map/rodex.c index c041ecc6b..63d7242db 100644 --- a/src/map/rodex.c +++ b/src/map/rodex.c @@ -263,17 +263,38 @@ int rodex_send_mail(struct map_session_data *sd, const char *receiver_name, cons for (i = 0; i < RODEX_MAX_ITEM; i++) { int16 idx = sd->rodex.tmp.items[i].idx; + int j; + struct item *tmpItem = &sd->rodex.tmp.items[i].item; + struct item *invItem = &sd->status.inventory[idx]; - if (sd->rodex.tmp.items[i].item.nameid == 0) + if (tmpItem->nameid == 0) continue; - if (sd->rodex.tmp.items[i].item.nameid != sd->status.inventory[idx].nameid - || sd->rodex.tmp.items[i].item.unique_id != sd->status.inventory[idx].unique_id - || sd->rodex.tmp.items[i].item.amount > sd->status.inventory[idx].amount - || sd->rodex.tmp.items[i].item.amount < 1) { + if (tmpItem->nameid != invItem->nameid || + tmpItem->unique_id != invItem->unique_id || + tmpItem->refine != invItem->refine || + tmpItem->attribute != invItem->attribute || + tmpItem->expire_time != invItem->expire_time || + tmpItem->bound != invItem->bound || + tmpItem->amount > invItem->amount || + tmpItem->amount < 1) { rodex->clean(sd, 1); return RODEX_SEND_MAIL_ITEM_ERROR; } + for (j = 0; j < MAX_SLOTS; j++) { + if (tmpItem->card[j] != invItem->card[j]) { + rodex->clean(sd, 1); + return RODEX_SEND_MAIL_ITEM_ERROR; + } + } + for (j = 0; j < MAX_ITEM_OPTIONS; j++) { + if (tmpItem->option[j].index != invItem->option[j].index || + tmpItem->option[j].value != invItem->option[j].value || + tmpItem->option[j].param != invItem->option[j].param) { + rodex->clean(sd, 1); + return RODEX_SEND_MAIL_ITEM_ERROR; + } + } } if (total_zeny > 0 && pc->payzeny(sd, (int)total_zeny, LOG_TYPE_MAIL, NULL) != 0) { |