From f4b719e8ac80797dabfae7cc1486aa3cf1dc1a80 Mon Sep 17 00:00:00 2001 From: Andrei Karas Date: Fri, 6 Mar 2015 11:15:22 +0300 Subject: Add checks to char.c --- src/char/char.c | 108 +++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 79 insertions(+), 29 deletions(-) diff --git a/src/char/char.c b/src/char/char.c index 83bb36a34..756b7397a 100644 --- a/src/char/char.c +++ b/src/char/char.c @@ -39,6 +39,7 @@ #include "../common/malloc.h" #include "../common/mapindex.h" #include "../common/mmo.h" +#include "../common/nullpo.h" #include "../common/showmsg.h" #include "../common/socket.h" #include "../common/strlib.h" @@ -317,6 +318,7 @@ static int char_db_setoffline(DBKey key, DBData *data, va_list ap) { struct online_char_data* character = (struct online_char_data*)DB->data2ptr(data); int server_id = va_arg(ap, int); + nullpo_ret(character); if (server_id == -1) { character->char_id = -1; character->server = -1; @@ -336,12 +338,13 @@ static int char_db_kickoffline(DBKey key, DBData *data, va_list ap) { struct online_char_data* character = (struct online_char_data*)DB->data2ptr(data); int server_id = va_arg(ap, int); + nullpo_ret(character); if (server_id > -1 && character->server != server_id) return 0; //Kick out any connected characters, and set them offline as appropriate. - if (character->server > -1) + if (character->server > -1 && character->server < MAX_MAP_SERVERS) mapif->disconnectplayer(chr->server[character->server].fd, character->account_id, character->char_id, 1); else if (character->waiting_disconnect == INVALID_TIMER) chr->set_char_offline(character->char_id, character->account_id); @@ -404,7 +407,8 @@ int char_mmo_char_tosql(int char_id, struct mmo_charstatus* p) int errors = 0; //If there are any errors while saving, "cp" will not be updated at the end. StringBuf buf; - if (char_id!=p->char_id) return 0; + nullpo_ret(p); + if (char_id != p->char_id) return 0; cp = idb_ensure(chr->char_db_, char_id, chr->create_charstatus); @@ -1008,6 +1012,9 @@ int char_mmo_chars_fromsql(struct char_session_data* sd, uint8* buf) time_t unban_time = 0; char sex[2]; + nullpo_ret(sd); + nullpo_ret(buf); + stmt = SQL->StmtMalloc(inter->sql_handle); if( stmt == NULL ) { SqlStmt_ShowDebug(stmt); @@ -1075,6 +1082,8 @@ int char_mmo_chars_fromsql(struct char_session_data* sd, uint8* buf) } for( i = 0; i < MAX_CHARS && SQL_SUCCESS == SQL->StmtNextRow(stmt); i++ ) { + if (p.slot >= MAX_CHARS) + continue; p.last_point.map = mapindex->name2id(last_map); sd->found_char[p.slot] = p.char_id; sd->unban_time[p.slot] = unban_time; @@ -1122,6 +1131,8 @@ int char_mmo_char_fromsql(int char_id, struct mmo_charstatus* p, bool load_every int account_id; char sex[2]; + nullpo_ret(p); + memset(p, 0, sizeof(struct mmo_charstatus)); if (save_log) ShowInfo("Char load request (%d)\n", char_id); @@ -1325,8 +1336,9 @@ int char_mmo_char_fromsql(int char_id, struct mmo_charstatus* p, bool load_every || SQL_ERROR == SQL->StmtBindColumn(stmt, 7, SQLDT_UINT, &tmp_item.expire_time, 0, NULL, NULL) || SQL_ERROR == SQL->StmtBindColumn(stmt, 8, SQLDT_UCHAR, &tmp_item.bound, 0, NULL, NULL) || SQL_ERROR == SQL->StmtBindColumn(stmt, 9, SQLDT_UINT64, &tmp_item.unique_id, 0, NULL, NULL) - ) + ) { SqlStmt_ShowDebug(stmt); + } for( i = 0; i < MAX_SLOTS; ++i ) if( SQL_ERROR == SQL->StmtBindColumn(stmt, 10+i, SQLDT_SHORT, &tmp_item.card[i], 0, NULL, NULL) ) SqlStmt_ShowDebug(stmt); @@ -1348,8 +1360,9 @@ int char_mmo_char_fromsql(int char_id, struct mmo_charstatus* p, bool load_every || SQL_ERROR == SQL->StmtBindColumn(stmt, 0, SQLDT_USHORT, &tmp_skill.id , 0, NULL, NULL) || SQL_ERROR == SQL->StmtBindColumn(stmt, 1, SQLDT_UCHAR , &tmp_skill.lv , 0, NULL, NULL) || SQL_ERROR == SQL->StmtBindColumn(stmt, 2, SQLDT_UCHAR , &tmp_skill.flag, 0, NULL, NULL) - ) + ) { SqlStmt_ShowDebug(stmt); + } if( tmp_skill.flag != SKILL_FLAG_PERM_GRANTED ) tmp_skill.flag = SKILL_FLAG_PERMANENT; @@ -1370,8 +1383,10 @@ int char_mmo_char_fromsql(int char_id, struct mmo_charstatus* p, bool load_every || SQL_ERROR == SQL->StmtExecute(stmt) || SQL_ERROR == SQL->StmtBindColumn(stmt, 0, SQLDT_INT, &tmp_friend.account_id, 0, NULL, NULL) || SQL_ERROR == SQL->StmtBindColumn(stmt, 1, SQLDT_INT, &tmp_friend.char_id, 0, NULL, NULL) - || SQL_ERROR == SQL->StmtBindColumn(stmt, 2, SQLDT_STRING, &tmp_friend.name, sizeof(tmp_friend.name), NULL, NULL) ) + || SQL_ERROR == SQL->StmtBindColumn(stmt, 2, SQLDT_STRING, &tmp_friend.name, sizeof(tmp_friend.name), NULL, NULL) + ) { SqlStmt_ShowDebug(stmt); + } for( i = 0; i < MAX_FRIENDS && SQL_SUCCESS == SQL->StmtNextRow(stmt); ++i ) memcpy(&p->friends[i], &tmp_friend, sizeof(tmp_friend)); @@ -1414,8 +1429,10 @@ int char_mmo_char_fromsql(int char_id, struct mmo_charstatus* p, bool load_every || SQL_ERROR == SQL->StmtBindColumn(stmt, 0, SQLDT_INT, &p->bank_vault, 0, NULL, NULL) || SQL_ERROR == SQL->StmtBindColumn(stmt, 1, SQLDT_USHORT, &p->mod_exp, 0, NULL, NULL) || SQL_ERROR == SQL->StmtBindColumn(stmt, 2, SQLDT_USHORT, &p->mod_drop, 0, NULL, NULL) - || SQL_ERROR == SQL->StmtBindColumn(stmt, 3, SQLDT_USHORT, &p->mod_death, 0, NULL, NULL) ) + || SQL_ERROR == SQL->StmtBindColumn(stmt, 3, SQLDT_USHORT, &p->mod_death, 0, NULL, NULL) + ) { SqlStmt_ShowDebug(stmt); + } if( SQL_SUCCESS == SQL->StmtNextRow(stmt) ) strcat(t_msg, " accdata"); @@ -1473,7 +1490,8 @@ bool char_char_slotchange(struct char_session_data *sd, int fd, unsigned short f /* update both at once */ if( SQL_SUCCESS != SQL->QueryStr(inter->sql_handle, "START TRANSACTION") || SQL_SUCCESS != SQL->Query(inter->sql_handle, "UPDATE `%s` SET `char_num`='%d' WHERE `char_id`='%d' LIMIT 1", char_db, from, sd->found_char[to]) - || SQL_SUCCESS != SQL->Query(inter->sql_handle, "UPDATE `%s` SET `char_num`='%d' WHERE `char_id`='%d' LIMIT 1", char_db, to, sd->found_char[from]) ) + || SQL_SUCCESS != SQL->Query(inter->sql_handle, "UPDATE `%s` SET `char_num`='%d' WHERE `char_id`='%d' LIMIT 1", char_db, to, sd->found_char[from]) + ) Sql_ShowDebug(inter->sql_handle); else result = true; @@ -1508,12 +1526,17 @@ int char_rename_char_sql(struct char_session_data *sd, int char_id) struct mmo_charstatus char_dat; char esc_name[NAME_LENGTH*2+1]; + nullpo_retr(2, sd); + if( sd->new_name[0] == 0 ) // Not ready for rename return 2; if( !chr->mmo_char_fromsql(char_id, &char_dat, false) ) // Only the short data is needed. return 2; + if (sd->account_id != char_dat.account_id) // Try rename not own char + return 2; + if( char_dat.rename == 0 ) return 1; @@ -1556,8 +1579,11 @@ int char_check_char_name(char * name, char * esc_name) { int i; + nullpo_retr(-2, name); + nullpo_retr(-2, esc_name); + // check length of character name - if( name[0] == '\0' ) + if (name[0] == '\0') return -2; // empty character name /** * The client does not allow you to create names with less than 4 characters, however, @@ -2027,6 +2053,7 @@ void char_mmo_char_send_ban_list(int fd, struct char_session_data *sd) { int i; time_t now = time(NULL); + nullpo_retv(sd); ARR_FIND(0, MAX_CHARS, i, sd->unban_time[i]); if( i != MAX_CHARS ) { int c; @@ -2063,6 +2090,7 @@ void char_mmo_char_send_ban_list(int fd, struct char_session_data *sd) { // [Ind/Hercules] notify client about charselect window data //---------------------------------------- void char_mmo_char_send_slots_info(int fd, struct char_session_data* sd) { + nullpo_retv(sd); WFIFOHEAD(fd,29); WFIFOW(fd,0) = 0x82d; WFIFOW(fd,2) = 29; @@ -2080,6 +2108,7 @@ void char_mmo_char_send_slots_info(int fd, struct char_session_data* sd) { int char_mmo_char_send_characters(int fd, struct char_session_data* sd) { int j, offset = 0; + nullpo_ret(sd); #if PACKETVER >= 20100413 offset += 3; #endif @@ -2201,6 +2230,8 @@ static void char_auth_ok(int fd, struct char_session_data *sd) { struct online_char_data* character; + nullpo_retv(sd); + if( (character = (struct online_char_data*)idb_get(chr->online_char_db, sd->account_id)) != NULL ) { // check if character is not online already. [Skotlex] if (character->server > -1) { @@ -2356,7 +2387,8 @@ void char_parse_fromlogin_account_data(int fd) void char_parse_fromlogin_login_pong(int fd) { RFIFOSKIP(fd,2); - session[fd]->flag.ping = 0; + if (session[fd]) + session[fd]->flag.ping = 0; } void char_changesex(int account_id, int sex) @@ -2870,7 +2902,7 @@ void char_update_fame_list(int type, int index, int fame) { mapif->sendall(buf, 8); } -//Loads a character's name and stores it in the buffer given (must be NAME_LENGTH in size) +//Loads a character's name and stores it in the buffer given (must be NAME_LENGTH in size) and not NULL //Returns 1 on found, 0 on not found (buffer is filled with Unknown char name) int char_loadName(int char_id, char* name) { @@ -2943,6 +2975,7 @@ void mapif_on_disconnect(int id) } void mapif_on_parse_accinfo(int account_id, int u_fd, int u_aid, int u_group, int map_fd) { + Assert_retv(chr->login_fd > 0); WFIFOHEAD(chr->login_fd,22); WFIFOW(chr->login_fd,0) = 0x2740; WFIFOL(chr->login_fd,2) = account_id; @@ -2964,7 +2997,7 @@ void char_parse_frommap_skillid2idx(int fd) int i; int j = RFIFOW(fd, 2) - 4; - memset(&skillid2idx, 0, sizeof(skillid2idx)); + memset(&skillid2idx, 0, sizeof(skillid2idx)); if( j ) j /= 4; for(i = 0; i < j; i++) { @@ -3348,6 +3381,8 @@ void char_ban(int account_id, int char_id, time_t *unban_time, short year, short struct tm *tmtime; SqlStmt* stmt = SQL->StmtMalloc(inter->sql_handle); + nullpo_retv(unban_time); + if (*unban_time == 0 || *unban_time < time(NULL)) timestamp = time(NULL); // new ban else @@ -3363,13 +3398,12 @@ void char_ban(int account_id, int char_id, time_t *unban_time, short year, short timestamp = mktime(tmtime); if( SQL_SUCCESS != SQL->StmtPrepare(stmt, - "UPDATE `%s` SET `unban_time` = ? WHERE `char_id` = ? LIMIT 1", - char_db) + "UPDATE `%s` SET `unban_time` = ? WHERE `char_id` = ? LIMIT 1", + char_db) || SQL_SUCCESS != SQL->StmtBindParam(stmt, 0, SQLDT_LONG, (void*)×tamp, sizeof(timestamp)) || SQL_SUCCESS != SQL->StmtBindParam(stmt, 1, SQLDT_INT, (void*)&char_id, sizeof(char_id)) || SQL_SUCCESS != SQL->StmtExecute(stmt) - - ) { + ) { SqlStmt_ShowDebug(stmt); } @@ -3388,12 +3422,14 @@ void char_unban(int char_id, int *result) /* handled by char server, so no redirection */ if( SQL_ERROR == SQL->Query(inter->sql_handle, "UPDATE `%s` SET `unban_time` = '0' WHERE `char_id` = '%d' LIMIT 1", char_db, char_id) ) { Sql_ShowDebug(inter->sql_handle); - *result = 1; + if (result) + *result = 1; } } void char_ask_name_ack(int fd, int acc, const char* name, int type, int result) { + nullpo_retv(name); WFIFOHEAD(fd,34); WFIFOW(fd, 0) = 0x2b0f; WFIFOL(fd, 2) = acc; @@ -3499,6 +3535,10 @@ void char_parse_frommap_fame_list(int fd) default: size = 0; list = NULL; break; } + if (!list) { + RFIFOSKIP(fd, 11); + return; + } ARR_FIND(0, size, player_pos, list[player_pos].id == cid);// position of the player ARR_FIND(0, size, fame_pos, list[fame_pos].fame <= fame);// where the player should be @@ -3624,6 +3664,7 @@ void char_parse_frommap_ping(int fd) void char_map_auth_ok(int fd, int account_id, struct char_auth_node* node, struct mmo_charstatus* cd) { + nullpo_retv(cd); WFIFOHEAD(fd,25 + sizeof(struct mmo_charstatus)); WFIFOW(fd,0) = 0x2afd; WFIFOW(fd,2) = 25 + sizeof(struct mmo_charstatus); @@ -4391,6 +4432,7 @@ void char_parse_char_connect(int fd, struct char_session_data* sd, uint32 ipl) void char_send_map_info(int fd, int i, uint32 subnet_map_ip, struct mmo_charstatus *cd) { + nullpo_retv(cd); WFIFOHEAD(fd,28); WFIFOW(fd,0) = 0x71; WFIFOL(fd,2) = cd->char_id; @@ -4413,6 +4455,7 @@ int char_search_default_maps_mapserver(struct mmo_charstatus *cd) { int i; int j; + nullpo_retr(-1, cd); if ((i = chr->search_mapserver((j=mapindex->name2id(MAP_PRONTERA)),-1,-1)) >= 0) { cd->last_point.x = 273; cd->last_point.y = 354; @@ -4505,6 +4548,7 @@ void char_parse_char_select(int fd, struct char_session_data* sd, uint32 ipl) //Have to switch over to the DB instance otherwise data won't propagate [Kevin] cd = (struct mmo_charstatus *)idb_get(chr->char_db_, char_id); + nullpo_retv(cd); if( cd->sex == 99 ) cd->sex = sd->sex; @@ -4658,7 +4702,7 @@ void char_parse_char_delete_char(int fd, struct char_session_data* sd, unsigned int i; #if PACKETVER >= 20110309 - if( pincode->enabled ){ // hack check + if (pincode->enabled) { // hack check struct online_char_data* character; character = (struct online_char_data*)idb_get(chr->online_char_db, sd->account_id); if( character && character->pincode_enable == -1 ){ @@ -4874,33 +4918,33 @@ void char_parse_char_login_map_server(int fd) void char_parse_char_pincode_check(int fd, struct char_session_data* sd) { - if( RFIFOL(fd,2) == sd->account_id ) - pincode->check( fd, sd ); + if (RFIFOL(fd,2) == sd->account_id) + pincode->check(fd, sd); - RFIFOSKIP(fd,10); + RFIFOSKIP(fd, 10); } void char_parse_char_pincode_window(int fd, struct char_session_data* sd) { - if( RFIFOL(fd,2) == sd->account_id ) - pincode->sendstate( fd, sd, PINCODE_NOTSET ); + if (RFIFOL(fd,2) == sd->account_id) + pincode->sendstate(fd, sd, PINCODE_NOTSET); - RFIFOSKIP(fd,6); + RFIFOSKIP(fd, 6); } void char_parse_char_pincode_change(int fd, struct char_session_data* sd) { - if( RFIFOL(fd,2) == sd->account_id ) - pincode->change( fd, sd ); + if (RFIFOL(fd,2) == sd->account_id) + pincode->change(fd, sd); - RFIFOSKIP(fd,14); + RFIFOSKIP(fd, 14); } void char_parse_char_pincode_first_pin(int fd, struct char_session_data* sd) { - if( RFIFOL(fd,2) == sd->account_id ) - pincode->setnew( fd, sd ); - RFIFOSKIP(fd,10); + if (RFIFOL(fd,2) == sd->account_id) + pincode->setnew (fd, sd); + RFIFOSKIP(fd, 10); } void char_parse_char_request_chars(int fd, struct char_session_data* sd) @@ -5155,6 +5199,7 @@ int mapif_sendall(unsigned char *buf, unsigned int len) { int i, c; + nullpo_ret(buf); c = 0; for(i = 0; i < ARRAYLENGTH(chr->server); i++) { int fd; @@ -5173,6 +5218,7 @@ int mapif_sendallwos(int sfd, unsigned char *buf, unsigned int len) { int i, c; + nullpo_ret(buf); c = 0; for(i = 0; i < ARRAYLENGTH(chr->server); i++) { int fd; @@ -5189,6 +5235,7 @@ int mapif_sendallwos(int sfd, unsigned char *buf, unsigned int len) int mapif_send(int fd, unsigned char *buf, unsigned int len) { + nullpo_ret(buf); if (fd >= 0) { int i; ARR_FIND( 0, ARRAYLENGTH(chr->server), i, fd == chr->server[i].fd ); @@ -5241,6 +5288,7 @@ static int char_send_accounts_tologin_sub(DBKey key, DBData *data, va_list ap) struct online_char_data* character = DB->data2ptr(data); int* i = va_arg(ap, int*); + nullpo_ret(character); if(character->server > -1) { WFIFOL(chr->login_fd,8+(*i)*4) = character->account_id; @@ -5307,6 +5355,7 @@ static int char_waiting_disconnect(int tid, int64 tick, int id, intptr_t data) { static int char_online_data_cleanup_sub(DBKey key, DBData *data, va_list ap) { struct online_char_data *character= DB->data2ptr(data); + nullpo_ret(character); if (character->fd != -1) return 0; //Character still connected if (character->server == -2) //Unknown server.. set them offline @@ -5955,6 +6004,7 @@ void char_defaults(void) memset(chr->userid, 0, sizeof(chr->userid)); memset(chr->passwd, 0, sizeof(chr->passwd)); + memset(chr->server_name, 0, sizeof(chr->server_name)); chr->ip = 0; chr->port = 6121; -- cgit v1.2.3-70-g09d2 From fb9f8cadf5ebe6c6d2fce3106a917cbd8956695d Mon Sep 17 00:00:00 2001 From: Andrei Karas Date: Mon, 30 Mar 2015 16:51:12 +0300 Subject: Add checks to int_auction.c --- src/char/int_auction.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/char/int_auction.c b/src/char/int_auction.c index 57eae641d..2c54db16b 100644 --- a/src/char/int_auction.c +++ b/src/char/int_auction.c @@ -17,6 +17,7 @@ #include "../common/db.h" #include "../common/malloc.h" #include "../common/mmo.h" +#include "../common/nullpo.h" #include "../common/showmsg.h" #include "../common/socket.h" #include "../common/sql.h" @@ -33,7 +34,7 @@ static int inter_auction_count(int char_id, bool buy) for( auction = dbi_first(iter); dbi_exists(iter); auction = dbi_next(iter) ) { - if( (buy && auction->buyer_id == char_id) || (!buy && auction->seller_id == char_id) ) + if ((buy && auction->buyer_id == char_id) || (!buy && auction->seller_id == char_id)) i++; } dbi_destroy(iter); @@ -160,6 +161,7 @@ static int inter_auction_end_timer(int tid, int64 tick, int id, intptr_t data) { void inter_auction_delete(struct auction_data *auction) { + nullpo_retv(auction); unsigned int auction_id = auction->auction_id; if( SQL_ERROR == SQL->Query(inter->sql_handle, "DELETE FROM `%s` WHERE `auction_id` = '%d'", auction_db, auction_id) ) @@ -240,6 +242,8 @@ void mapif_auction_sendlist(int fd, int char_id, short count, short pages, unsig { int len = (sizeof(struct auction_data) * count) + 12; + nullpo_retv(buf); + WFIFOHEAD(fd, len); WFIFOW(fd,0) = 0x3850; WFIFOW(fd,2) = len; @@ -297,6 +301,8 @@ void mapif_auction_register(int fd, struct auction_data *auction) { int len = sizeof(struct auction_data) + 4; + nullpo_retv(auction); + WFIFOHEAD(fd,len); WFIFOW(fd,0) = 0x3851; WFIFOW(fd,2) = len; -- cgit v1.2.3-70-g09d2 From 8e2c71ea78e461b4a9274d22bcb3039bf6ec3584 Mon Sep 17 00:00:00 2001 From: Andrei Karas Date: Mon, 30 Mar 2015 20:58:25 +0300 Subject: Add checks to int_elements.c --- src/char/int_elemental.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/char/int_elemental.c b/src/char/int_elemental.c index d14d1e1e0..3a5022fe4 100644 --- a/src/char/int_elemental.c +++ b/src/char/int_elemental.c @@ -15,6 +15,7 @@ #include "mapif.h" #include "../common/malloc.h" #include "../common/mmo.h" +#include "../common/nullpo.h" #include "../common/showmsg.h" #include "../common/socket.h" #include "../common/sql.h" @@ -26,6 +27,7 @@ struct inter_elemental_interface inter_elemental_s; bool mapif_elemental_save(struct s_elemental* ele) { bool flag = true; + nullpo_retr(false, ele); if( ele->elemental_id == 0 ) { // Create new DB entry if( SQL_ERROR == SQL->Query(inter->sql_handle, "INSERT INTO `%s` (`char_id`,`class`,`mode`,`hp`,`sp`,`max_hp`,`max_sp`,`atk1`,`atk2`,`matk`,`aspd`,`def`,`mdef`,`flee`,`hit`,`life_time`)" @@ -53,6 +55,7 @@ bool mapif_elemental_save(struct s_elemental* ele) { bool mapif_elemental_load(int ele_id, int char_id, struct s_elemental *ele) { char* data; + nullpo_retr(false, ele); memset(ele, 0, sizeof(struct s_elemental)); ele->elemental_id = ele_id; ele->char_id = char_id; @@ -105,6 +108,7 @@ bool mapif_elemental_delete(int ele_id) { void mapif_elemental_send(int fd, struct s_elemental *ele, unsigned char flag) { int size = sizeof(struct s_elemental) + 5; + nullpo_retv(ele); WFIFOHEAD(fd,size); WFIFOW(fd,0) = 0x387c; WFIFOW(fd,2) = size; -- cgit v1.2.3-70-g09d2 From dab1fba3a88b9c5e86a778a29bd4d565fc937155 Mon Sep 17 00:00:00 2001 From: Andrei Karas Date: Mon, 30 Mar 2015 23:47:36 +0300 Subject: Add checks to int_guild.c --- src/char/int_guild.c | 48 +++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 45 insertions(+), 3 deletions(-) diff --git a/src/char/int_guild.c b/src/char/int_guild.c index 20db452af..13aaeb0b4 100644 --- a/src/char/int_guild.c +++ b/src/char/int_guild.c @@ -18,6 +18,7 @@ #include "../common/db.h" #include "../common/malloc.h" #include "../common/mmo.h" +#include "../common/nullpo.h" #include "../common/showmsg.h" #include "../common/socket.h" #include "../common/strlib.h" @@ -50,6 +51,8 @@ int inter_guild_save_timer(int tid, int64 tick, int id, intptr_t data) { for( g = DB->data2ptr(iter->first(iter, &key)); dbi_exists(iter); g = DB->data2ptr(iter->next(iter, &key)) ) { + if (!g) + continue; if( state == 0 && g->guild_id == last_id ) state++; //Save next guild in the list. else @@ -114,6 +117,7 @@ int inter_guild_tosql(struct guild *g,int flag) char new_guild = 0; int i=0; + nullpo_ret(g); if (g->guild_id<=0 && g->guild_id != -1) return 0; #ifdef NOISY @@ -253,7 +257,7 @@ int inter_guild_tosql(struct guild *g,int flag) //printf("- Insert guild %d to guild_position\n",g->guild_id); for(i=0;iposition[i]; - if (!p->modified) + if (!p || !p->modified) continue; SQL->EscapeStringLen(inter->sql_handle, esc_name, p->name, strnlen(p->name, NAME_LENGTH)); if( SQL_ERROR == SQL->Query(inter->sql_handle, "REPLACE INTO `%s` (`guild_id`,`position`,`name`,`mode`,`exp_mode`) VALUES ('%d','%d','%s','%d','%d')", @@ -521,6 +525,7 @@ int inter_guild_castle_tosql(struct guild_castle *gc) StringBuf buf; int i; + nullpo_ret(gc); StrBuf->Init(&buf); StrBuf->Printf(&buf, "REPLACE INTO `%s` SET `castle_id`='%d', `guild_id`='%d', `economy`='%d', `defense`='%d', " "`triggerE`='%d', `triggerD`='%d', `nextTime`='%d', `payTime`='%d', `createTime`='%d', `visibleC`='%d'", @@ -593,6 +598,7 @@ struct guild_castle* inter_guild_castle_fromsql(int castle_id) // Read exp_guild.txt bool inter_guild_exp_parse_row(char* split[], int column, int current) { int64 exp = strtoll(split[0], NULL, 10); + nullpo_retr(true, split); if (exp < 0 || exp >= UINT_MAX) { ShowError("exp_guild: Invalid exp %"PRId64" (valid range: 0 - %u) at line %d\n", exp, UINT_MAX, current); @@ -729,6 +735,7 @@ int inter_guild_sql_init(void) int inter_guild_db_final(DBKey key, DBData *data, va_list ap) { struct guild *g = DB->data2ptr(data); + nullpo_ret(g); if (g->save_flag&GS_MASK) { inter_guild->tosql(g, g->save_flag&GS_MASK); return 1; @@ -749,6 +756,7 @@ int inter_guild_search_guildname(char *str) int guild_id; char esc_name[NAME_LENGTH*2+1]; + nullpo_retr(-1, str); SQL->EscapeStringLen(inter->sql_handle, esc_name, str, safestrnlen(str, NAME_LENGTH)); //Lookup guilds with the same name if( SQL_ERROR == SQL->Query(inter->sql_handle, "SELECT guild_id FROM `%s` WHERE name='%s'", guild_db, esc_name) ) @@ -776,6 +784,7 @@ int inter_guild_search_guildname(char *str) static bool inter_guild_check_empty(struct guild *g) { int i; + nullpo_ret(g); ARR_FIND( 0, g->max_member, i, g->member[i].account_id > 0 ); if( i < g->max_member) return false; // not empty @@ -788,16 +797,17 @@ static bool inter_guild_check_empty(struct guild *g) unsigned int inter_guild_nextexp(int level) { if (level == 0) return 1; - if (level <= 0 || level >= MAX_GUILDLEVEL) + if (level <= 0 || level > MAX_GUILDLEVEL) return 0; return inter_guild->exp[level-1]; } -int inter_guild_checkskill(struct guild *g,int id) +int inter_guild_checkskill(struct guild *g, int id) { int idx = id - GD_SKILLBASE; + nullpo_ret(g); if(idx < 0 || idx >= MAX_GUILDSKILL) return 0; @@ -810,6 +820,7 @@ int inter_guild_calcinfo(struct guild *g) unsigned int nextexp; struct guild before = *g; // Save guild current values + nullpo_ret(g); if(g->guild_lv<=0) g->guild_lv = 1; nextexp = inter_guild->nextexp(g->guild_lv); @@ -872,6 +883,7 @@ int inter_guild_calcinfo(struct guild *g) int mapif_guild_created(int fd, int account_id, struct guild *g) { + nullpo_ret(g); WFIFOHEAD(fd, 10); WFIFOW(fd,0)=0x3830; WFIFOL(fd,2)=account_id; @@ -905,6 +917,7 @@ int mapif_guild_noinfo(int fd, int guild_id) int mapif_guild_info(int fd, struct guild *g) { unsigned char buf[8+sizeof(struct guild)]; + nullpo_ret(g); WBUFW(buf,0)=0x3831; WBUFW(buf,2)=4+sizeof(struct guild); memcpy(buf+4,g,sizeof(struct guild)); @@ -931,6 +944,8 @@ int mapif_guild_memberadded(int fd, int guild_id, int account_id, int char_id, i // ACK member leave int mapif_guild_withdraw(int guild_id,int account_id,int char_id,int flag, const char *name, const char *mes) { + nullpo_ret(name); + nullpo_ret(mes); unsigned char buf[55+NAME_LENGTH]; WBUFW(buf, 0)=0x3834; WBUFL(buf, 2)=guild_id; @@ -948,6 +963,8 @@ int mapif_guild_withdraw(int guild_id,int account_id,int char_id,int flag, const int mapif_guild_memberinfoshort(struct guild *g, int idx) { unsigned char buf[19]; + nullpo_ret(g); + Assert_ret(idx >= 0 && idx < MAX_GUILD); WBUFW(buf, 0)=0x3835; WBUFL(buf, 2)=g->guild_id; WBUFL(buf, 6)=g->member[idx].account_id; @@ -975,6 +992,7 @@ int mapif_guild_broken(int guild_id, int flag) int mapif_guild_message(int guild_id, int account_id, char *mes, int len, int sfd) { unsigned char buf[512]; + nullpo_ret(mes); if (len > 500) len = 500; WBUFW(buf,0)=0x3837; @@ -990,6 +1008,7 @@ int mapif_guild_message(int guild_id, int account_id, char *mes, int len, int sf int mapif_guild_basicinfochanged(int guild_id, int type, const void *data, int len) { unsigned char buf[2048]; + nullpo_ret(data); if (len > 2038) len = 2038; WBUFW(buf, 0)=0x3839; @@ -1005,6 +1024,7 @@ int mapif_guild_basicinfochanged(int guild_id, int type, const void *data, int l int mapif_guild_memberinfochanged(int guild_id, int account_id, int char_id, int type, const void *data, int len) { unsigned char buf[2048]; + nullpo_ret(data); if (len > 2030) len = 2030; WBUFW(buf, 0)=0x383a; @@ -1034,6 +1054,8 @@ int mapif_guild_skillupack(int guild_id, uint16 skill_id, int account_id) int mapif_guild_alliance(int guild_id1, int guild_id2, int account_id1, int account_id2, int flag, const char *name1, const char *name2) { unsigned char buf[19+2*NAME_LENGTH]; + nullpo_ret(name1); + nullpo_ret(name2); WBUFW(buf, 0)=0x383d; WBUFL(buf, 2)=guild_id1; WBUFL(buf, 6)=guild_id2; @@ -1050,6 +1072,8 @@ int mapif_guild_alliance(int guild_id1, int guild_id2, int account_id1, int acco int mapif_guild_position(struct guild *g, int idx) { unsigned char buf[12 + sizeof(struct guild_position)]; + nullpo_ret(g); + Assert_ret(idx >= 0 && idx < MAX_GUILDPOSITION); WBUFW(buf,0)=0x383b; WBUFW(buf,2)=sizeof(struct guild_position)+12; WBUFL(buf,4)=g->guild_id; @@ -1063,6 +1087,7 @@ int mapif_guild_position(struct guild *g, int idx) int mapif_guild_notice(struct guild *g) { unsigned char buf[256]; + nullpo_ret(g); WBUFW(buf,0)=0x383e; WBUFL(buf,2)=g->guild_id; memcpy(WBUFP(buf,6),g->mes1,MAX_GUILDMES1); @@ -1075,6 +1100,7 @@ int mapif_guild_notice(struct guild *g) int mapif_guild_emblem(struct guild *g) { unsigned char buf[12 + sizeof(g->emblem_data)]; + nullpo_ret(g); WBUFW(buf,0)=0x383f; WBUFW(buf,2)=g->emblem_len+12; WBUFL(buf,4)=g->guild_id; @@ -1087,6 +1113,7 @@ int mapif_guild_emblem(struct guild *g) int mapif_guild_master_changed(struct guild *g, int aid, int cid) { unsigned char buf[14]; + nullpo_ret(g); WBUFW(buf,0)=0x3843; WBUFL(buf,2)=g->guild_id; WBUFL(buf,6)=aid; @@ -1102,6 +1129,7 @@ int mapif_guild_castle_dataload(int fd, int sz, int *castle_ids) int len = 4 + num * sizeof(*gc); int i; + nullpo_ret(castle_ids); WFIFOHEAD(fd, len); WFIFOW(fd, 0) = 0x3840; WFIFOW(fd, 2) = len; @@ -1125,6 +1153,8 @@ int mapif_parse_CreateGuild(int fd,int account_id,char *name,struct guild_member #ifdef NOISY ShowInfo("Creating Guild (%s)\n", name); #endif + nullpo_ret(name); + nullpo_ret(master); if(inter_guild->search_guildname(name) != 0){ ShowInfo("int_guild: guild with same name exists [%s]\n",name); mapif->guild_created(fd,account_id,NULL); @@ -1217,6 +1247,7 @@ int mapif_parse_GuildAddMember(int fd, int guild_id, struct guild_member *m) struct guild * g; int i; + nullpo_ret(m); g = inter_guild->fromsql(guild_id); if(g==NULL){ // Failed to add @@ -1262,6 +1293,7 @@ int mapif_parse_GuildLeave(int fd, int guild_id, int account_id, int char_id, in return 0; } + nullpo_ret(mes); // Find the member ARR_FIND( 0, g->max_member, i, g->member[i].account_id == account_id && g->member[i].char_id == char_id ); if( i == g->max_member ) @@ -1426,6 +1458,7 @@ int mapif_parse_GuildBasicInfoChange(int fd, int guild_id, int type, const void if( g == NULL ) return 0; + nullpo_ret(data); switch(type) { case GBI_EXP: value = *((const int16 *)data); @@ -1478,6 +1511,7 @@ int mapif_parse_GuildMemberInfoChange(int fd, int guild_id, int account_id, int int i; struct guild * g; + nullpo_ret(data); g = inter_guild->fromsql(guild_id); if(g==NULL) return 0; @@ -1588,6 +1622,7 @@ int inter_guild_charname_changed(int guild_id, int account_id, int char_id, char struct guild *g; int i, flag = 0; + nullpo_ret(name); g = inter_guild->fromsql(guild_id); if( g == NULL ) { @@ -1625,6 +1660,7 @@ int mapif_parse_GuildPosition(int fd, int guild_id, int idx, struct guild_positi // Could make some improvement in speed, because only change guild_position struct guild * g; + nullpo_ret(p); g = inter_guild->fromsql(guild_id); if(g==NULL || idx<0 || idx>=MAX_GUILDPOSITION) return 0; @@ -1664,6 +1700,7 @@ int mapif_parse_GuildDeleteAlliance(struct guild *g, int guild_id, int account_i int i; char name[NAME_LENGTH]; + nullpo_retr(-1, g); ARR_FIND( 0, MAX_GUILDALLIANCE, i, g->alliance[i].guild_id == guild_id ); if( i == MAX_GUILDALLIANCE ) return -1; @@ -1726,6 +1763,8 @@ int mapif_parse_GuildNotice(int fd, int guild_id, const char *mes1, const char * { struct guild *g; + nullpo_ret(mes1); + nullpo_ret(mes2); g = inter_guild->fromsql(guild_id); if(g==NULL) return 0; @@ -1740,6 +1779,7 @@ int mapif_parse_GuildEmblem(int fd, int len, int guild_id, int dummy, const char { struct guild * g; + nullpo_ret(data); g = inter_guild->fromsql(guild_id); if(g==NULL) return 0; @@ -1804,6 +1844,7 @@ int mapif_parse_GuildMasterChange(int fd, int guild_id, const char* name, int le struct guild_member gm; int pos; + nullpo_ret(name); g = inter_guild->fromsql(guild_id); if(g==NULL || len > NAME_LENGTH) @@ -1888,6 +1929,7 @@ void inter_guild_defaults(void) inter_guild->guild_db = NULL; inter_guild->castle_db = NULL; + memset(inter_guild->exp, 0, sizeof(inter_guild->exp)); inter_guild->save_timer = inter_guild_save_timer; inter_guild->removemember_tosql = inter_guild_removemember_tosql; -- cgit v1.2.3-70-g09d2 From f6faa451fedff3c1ff7c82cb8b088edb9482239c Mon Sep 17 00:00:00 2001 From: Andrei Karas Date: Tue, 31 Mar 2015 00:00:01 +0300 Subject: Add checks to int_homun.c --- src/char/int_homun.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/char/int_homun.c b/src/char/int_homun.c index dd23261c2..9f91de252 100644 --- a/src/char/int_homun.c +++ b/src/char/int_homun.c @@ -15,6 +15,7 @@ #include "mapif.h" #include "../common/malloc.h" #include "../common/mmo.h" +#include "../common/nullpo.h" #include "../common/showmsg.h" #include "../common/socket.h" #include "../common/sql.h" @@ -34,6 +35,7 @@ void inter_homunculus_sql_final(void) void mapif_homunculus_created(int fd, int account_id, struct s_homunculus *sh, unsigned char flag) { + nullpo_retv(sh); WFIFOHEAD(fd, sizeof(struct s_homunculus)+9); WFIFOW(fd,0) = 0x3890; WFIFOW(fd,2) = sizeof(struct s_homunculus)+9; @@ -53,6 +55,7 @@ void mapif_homunculus_deleted(int fd, int flag) void mapif_homunculus_loaded(int fd, int account_id, struct s_homunculus *hd) { + nullpo_retv(hd); WFIFOHEAD(fd, sizeof(struct s_homunculus)+9); WFIFOW(fd,0) = 0x3891; WFIFOW(fd,2) = sizeof(struct s_homunculus)+9; @@ -81,6 +84,7 @@ void mapif_homunculus_saved(int fd, int account_id, bool flag) void mapif_homunculus_renamed(int fd, int account_id, int char_id, unsigned char flag, char* name) { + nullpo_retv(name); WFIFOHEAD(fd, NAME_LENGTH+12); WFIFOW(fd, 0) = 0x3894; WFIFOL(fd, 2) = account_id; @@ -95,6 +99,7 @@ bool mapif_homunculus_save(struct s_homunculus* hd) bool flag = true; char esc_name[NAME_LENGTH*2+1]; + nullpo_ret(hd); SQL->EscapeStringLen(inter->sql_handle, esc_name, hd->name, strnlen(hd->name, NAME_LENGTH)); if( hd->hom_id == 0 ) @@ -158,6 +163,7 @@ bool mapif_homunculus_load(int homun_id, struct s_homunculus* hd) char* data; size_t len; + nullpo_ret(hd); memset(hd, 0, sizeof(*hd)); if( SQL_ERROR == SQL->Query(inter->sql_handle, "SELECT `homun_id`,`char_id`,`class`,`prev_class`,`name`,`level`,`exp`,`intimacy`,`hunger`, `str`, `agi`, `vit`, `int`, `dex`, `luk`, `hp`,`max_hp`,`sp`,`max_sp`,`skill_point`,`rename_flag`, `vaporize` FROM `%s` WHERE `homun_id`='%u'", homunculus_db, homun_id) ) @@ -247,6 +253,7 @@ bool mapif_homunculus_rename(char *name) { int i; + nullpo_ret(name); // Check Authorized letters/symbols in the name of the homun if( char_name_option == 1 ) {// only letters/symbols in char_name_letters are authorized -- cgit v1.2.3-70-g09d2 From 54482f9e30665501bf7318919e3aaf0993b36b9b Mon Sep 17 00:00:00 2001 From: Andrei Karas Date: Tue, 31 Mar 2015 00:36:34 +0300 Subject: Add checks to int_mail.c --- src/char/int_mail.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/char/int_mail.c b/src/char/int_mail.c index 17fb9d424..cd2fa0deb 100644 --- a/src/char/int_mail.c +++ b/src/char/int_mail.c @@ -15,6 +15,7 @@ #include "mapif.h" #include "../common/malloc.h" #include "../common/mmo.h" +#include "../common/nullpo.h" #include "../common/showmsg.h" #include "../common/socket.h" #include "../common/sql.h" @@ -30,6 +31,7 @@ static int inter_mail_fromsql(int char_id, struct mail_data* md) char *data; StringBuf buf; + nullpo_ret(md); memset(md, 0, sizeof(struct mail_data)); md->amount = 0; md->full = false; @@ -114,6 +116,7 @@ int inter_mail_savemessage(struct mail_message* msg) SqlStmt* stmt; int j; + nullpo_ret(msg); // build message save query StrBuf->Init(&buf); StrBuf->Printf(&buf, "INSERT INTO `%s` (`send_name`, `send_id`, `dest_name`, `dest_id`, `title`, `message`, `time`, `status`, `zeny`, `amount`, `nameid`, `refine`, `attribute`, `identify`, `unique_id`", mail_db); @@ -151,6 +154,7 @@ static bool inter_mail_loadmessage(int mail_id, struct mail_message* msg) { int j; StringBuf buf; + nullpo_ret(msg); memset(msg, 0, sizeof(struct mail_message)); // Initialize data StrBuf->Init(&buf); @@ -203,6 +207,7 @@ static bool inter_mail_loadmessage(int mail_id, struct mail_message* msg) void mapif_mail_sendinbox(int fd, int char_id, unsigned char flag, struct mail_data *md) { + nullpo_retv(md); //FIXME: dumping the whole structure like this is unsafe [ultramage] WFIFOHEAD(fd, sizeof(struct mail_data) + 9); WFIFOW(fd,0) = 0x3848; @@ -263,6 +268,7 @@ static bool inter_mail_DeleteAttach(int mail_id) void mapif_mail_sendattach(int fd, int char_id, struct mail_message *msg) { + nullpo_retv(msg); WFIFOHEAD(fd, sizeof(struct item) + 12); WFIFOW(fd,0) = 0x384a; WFIFOW(fd,2) = sizeof(struct item) + 12; @@ -402,6 +408,7 @@ void mapif_mail_send(int fd, struct mail_message* msg) { int len = sizeof(struct mail_message) + 4; + nullpo_retv(msg); WFIFOHEAD(fd,len); WFIFOW(fd,0) = 0x384d; WFIFOW(fd,2) = len; @@ -449,6 +456,11 @@ void mapif_parse_mail_send(int fd) void inter_mail_sendmail(int send_id, const char* send_name, int dest_id, const char* dest_name, const char* title, const char* body, int zeny, struct item *item) { struct mail_message msg; + nullpo_retv(send_name); + nullpo_retv(dest_name); + nullpo_retv(title); + nullpo_retv(body); + nullpo_retv(item); memset(&msg, 0, sizeof(struct mail_message)); msg.send_id = send_id; -- cgit v1.2.3-70-g09d2 From 9764a9329802816c4f896ed64d9611b40e83af59 Mon Sep 17 00:00:00 2001 From: Andrei Karas Date: Tue, 31 Mar 2015 00:42:45 +0300 Subject: Add checks to int_mercenary.c --- src/char/int_mercenary.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/char/int_mercenary.c b/src/char/int_mercenary.c index 2bd94b97e..3321627c0 100644 --- a/src/char/int_mercenary.c +++ b/src/char/int_mercenary.c @@ -15,6 +15,7 @@ #include "mapif.h" #include "../common/malloc.h" #include "../common/mmo.h" +#include "../common/nullpo.h" #include "../common/showmsg.h" #include "../common/socket.h" #include "../common/sql.h" @@ -27,6 +28,7 @@ bool inter_mercenary_owner_fromsql(int char_id, struct mmo_charstatus *status) { char* data; + nullpo_ret(status); if( SQL_ERROR == SQL->Query(inter->sql_handle, "SELECT `merc_id`, `arch_calls`, `arch_faith`, `spear_calls`, `spear_faith`, `sword_calls`, `sword_faith` FROM `%s` WHERE `char_id` = '%d'", mercenary_owner_db, char_id) ) { Sql_ShowDebug(inter->sql_handle); @@ -53,6 +55,7 @@ bool inter_mercenary_owner_fromsql(int char_id, struct mmo_charstatus *status) bool inter_mercenary_owner_tosql(int char_id, struct mmo_charstatus *status) { + nullpo_ret(status); if( SQL_ERROR == SQL->Query(inter->sql_handle, "REPLACE INTO `%s` (`char_id`, `merc_id`, `arch_calls`, `arch_faith`, `spear_calls`, `spear_faith`, `sword_calls`, `sword_faith`) VALUES ('%d', '%d', '%d', '%d', '%d', '%d', '%d', '%d')", mercenary_owner_db, char_id, status->mer_id, status->arch_calls, status->arch_faith, status->spear_calls, status->spear_faith, status->sword_calls, status->sword_faith) ) { @@ -78,6 +81,7 @@ bool mapif_mercenary_save(struct s_mercenary* merc) { bool flag = true; + nullpo_ret(merc); if( merc->mercenary_id == 0 ) { // Create new DB entry if( SQL_ERROR == SQL->Query(inter->sql_handle, @@ -105,6 +109,7 @@ bool mapif_mercenary_load(int merc_id, int char_id, struct s_mercenary *merc) { char* data; + nullpo_ret(merc); memset(merc, 0, sizeof(struct s_mercenary)); merc->mercenary_id = merc_id; merc->char_id = char_id; @@ -148,6 +153,7 @@ void mapif_mercenary_send(int fd, struct s_mercenary *merc, unsigned char flag) { int size = sizeof(struct s_mercenary) + 5; + nullpo_retv(merc); WFIFOHEAD(fd,size); WFIFOW(fd,0) = 0x3870; WFIFOW(fd,2) = size; -- cgit v1.2.3-70-g09d2 From 7995906e50b0194755b7417df4b7e4a60b21321b Mon Sep 17 00:00:00 2001 From: Andrei Karas Date: Tue, 31 Mar 2015 01:04:22 +0300 Subject: Add checks to int_party.c --- src/char/int_party.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/char/int_party.c b/src/char/int_party.c index bf950ec42..79bd1139c 100644 --- a/src/char/int_party.c +++ b/src/char/int_party.c @@ -18,6 +18,7 @@ #include "../common/malloc.h" #include "../common/mapindex.h" #include "../common/mmo.h" +#include "../common/nullpo.h" #include "../common/showmsg.h" #include "../common/socket.h" #include "../common/sql.h" @@ -29,6 +30,7 @@ struct inter_party_interface inter_party_s; static int inter_party_check_lv(struct party_data *p) { int i; unsigned int lv; + nullpo_ret(p); p->min_lv = UINT_MAX; p->max_lv = 0; for(i=0;imin_lv = UINT_MAX; p->max_lv = 0; p->party.count = @@ -109,6 +112,7 @@ int inter_party_tosql(struct party *p, int flag, int index) if( p == NULL || p->party_id == 0 ) return 0; + Assert_ret(index >= 0 && index < MAX_PARTY); party_id = p->party_id; #ifdef NOISY @@ -295,6 +299,7 @@ struct party_data* inter_party_search_partyname(const char *const str) // Returns whether this party can keep having exp share or not. int inter_party_check_exp_share(struct party_data *const p) { + nullpo_ret(p); return (p->party.count < 2 || p->max_lv - p->min_lv <= party_share_level); } @@ -318,6 +323,7 @@ int inter_party_check_empty(struct party_data *p) // Create a party whether or not int mapif_party_created(int fd, int account_id, int char_id, struct party *p) { + nullpo_ret(p); WFIFOHEAD(fd, 39); WFIFOW(fd,0)=0x3820; WFIFOL(fd,2)=account_id; @@ -353,6 +359,7 @@ void mapif_party_noinfo(int fd, int party_id, int char_id) void mapif_party_info(int fd, struct party* p, int char_id) { unsigned char buf[8 + sizeof(struct party)]; + nullpo_retv(p); WBUFW(buf,0) = 0x3821; WBUFW(buf,2) = 8 + sizeof(struct party); WBUFL(buf,4) = char_id; @@ -381,6 +388,7 @@ int mapif_party_memberadded(int fd, int party_id, int account_id, int char_id, i int mapif_party_optionchanged(int fd, struct party *p, int account_id, int flag) { unsigned char buf[16]; + nullpo_ret(p); WBUFW(buf,0)=0x3823; WBUFL(buf,2)=p->party_id; WBUFL(buf,6)=account_id; @@ -411,6 +419,8 @@ int mapif_party_membermoved(struct party *p, int idx) { unsigned char buf[20]; + nullpo_ret(p); + Assert_ret(idx >= 0 && idx < MAX_PARTY); WBUFW(buf,0) = 0x3825; WBUFL(buf,2) = p->party_id; WBUFL(buf,6) = p->member[idx].account_id; @@ -438,6 +448,7 @@ int mapif_party_broken(int party_id, int flag) int mapif_party_message(int party_id, int account_id, char *mes, int len, int sfd) { unsigned char buf[512]; + nullpo_ret(mes); WBUFW(buf,0)=0x3827; WBUFW(buf,2)=len+12; WBUFL(buf,4)=party_id; @@ -456,6 +467,8 @@ int mapif_parse_CreateParty(int fd, char *name, int item, int item2, struct part { struct party_data *p; int i; + nullpo_ret(name); + nullpo_ret(leader); if( (p=inter_party->search_partyname(name))!=NULL){ mapif->party_created(fd,leader->account_id,leader->char_id,NULL); return 0; @@ -523,6 +536,7 @@ int mapif_parse_PartyAddMember(int fd, int party_id, struct party_member *member struct party_data *p; int i; + nullpo_ret(member); p = inter_party->fromsql(party_id); if( p == NULL || p->size == MAX_PARTY ) { mapif->party_memberadded(fd, party_id, member->account_id, member->char_id, 1); -- cgit v1.2.3-70-g09d2 From 097e767aec64b8de52ea9e52d7b12ee89191d678 Mon Sep 17 00:00:00 2001 From: Andrei Karas Date: Tue, 31 Mar 2015 11:59:17 +0300 Subject: Add checks to int_pet.c --- src/char/int_pet.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/char/int_pet.c b/src/char/int_pet.c index b37037844..b01777771 100644 --- a/src/char/int_pet.c +++ b/src/char/int_pet.c @@ -15,6 +15,7 @@ #include "mapif.h" #include "../common/malloc.h" #include "../common/mmo.h" +#include "../common/nullpo.h" #include "../common/showmsg.h" #include "../common/socket.h" #include "../common/sql.h" @@ -29,6 +30,7 @@ int inter_pet_tosql(int pet_id, struct s_pet* p) //`pet` (`pet_id`, `class`,`name`,`account_id`,`char_id`,`level`,`egg_id`,`equip`,`intimate`,`hungry`,`rename_flag`,`incubate`) char esc_name[NAME_LENGTH*2+1];// escaped pet name + nullpo_ret(p); SQL->EscapeStringLen(inter->sql_handle, esc_name, p->name, strnlen(p->name, NAME_LENGTH)); p->hungry = cap_value(p->hungry, 0, 100); p->intimate = cap_value(p->intimate, 0, 1000); @@ -70,6 +72,7 @@ int inter_pet_fromsql(int pet_id, struct s_pet* p) #ifdef NOISY ShowInfo("Loading pet (%d)...\n",pet_id); #endif + nullpo_ret(p); memset(p, 0, sizeof(struct s_pet)); //`pet` (`pet_id`, `class`,`name`,`account_id`,`char_id`,`level`,`egg_id`,`equip`,`intimate`,`hungry`,`rename_flag`,`incubate`) @@ -145,6 +148,7 @@ int mapif_pet_created(int fd, int account_id, struct s_pet *p) int mapif_pet_info(int fd, int account_id, struct s_pet *p) { + nullpo_ret(p); WFIFOHEAD(fd, sizeof(struct s_pet) + 9); WFIFOW(fd, 0) =0x3881; WFIFOW(fd, 2) =sizeof(struct s_pet) + 9; @@ -193,6 +197,7 @@ int mapif_delete_pet_ack(int fd, int flag) int mapif_create_pet(int fd, int account_id, int char_id, short pet_class, short pet_lv, short pet_egg_id, short pet_equip, short intimate, short hungry, char rename_flag, char incubate, char *pet_name) { + nullpo_ret(pet_name); memset(inter_pet->pt, 0, sizeof(struct s_pet)); safestrncpy(inter_pet->pt->name, pet_name, NAME_LENGTH); if(incubate == 1) @@ -254,6 +259,7 @@ int mapif_save_pet(int fd, int account_id, struct s_pet *data) { //here process pet save request. int len; + nullpo_ret(data); RFIFOHEAD(fd); len=RFIFOW(fd, 2); if (sizeof(struct s_pet) != len-8) { -- cgit v1.2.3-70-g09d2 From 9b5bb84f693a19ff119af01fc0d4953e59ac583e Mon Sep 17 00:00:00 2001 From: Andrei Karas Date: Tue, 31 Mar 2015 12:13:01 +0300 Subject: Add checks to int_quest.c --- src/char/int_quest.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/char/int_quest.c b/src/char/int_quest.c index dd3d4e1bf..1d64f48a3 100644 --- a/src/char/int_quest.c +++ b/src/char/int_quest.c @@ -16,6 +16,7 @@ #include "../common/db.h" #include "../common/malloc.h" #include "../common/mmo.h" +#include "../common/nullpo.h" #include "../common/showmsg.h" #include "../common/socket.h" #include "../common/sql.h" @@ -66,8 +67,9 @@ struct quest *mapif_quests_fromsql(int char_id, int *count) || SQL_ERROR == SQL->StmtBindColumn(stmt, 0, SQLDT_INT, &tmp_quest.quest_id, 0, NULL, NULL) || SQL_ERROR == SQL->StmtBindColumn(stmt, 1, SQLDT_INT, &tmp_quest.state, 0, NULL, NULL) || SQL_ERROR == SQL->StmtBindColumn(stmt, 2, SQLDT_UINT, &tmp_quest.time, 0, NULL, NULL) - ) + ) { sqlerror = SQL_ERROR; + } StrBuf->Destroy(&buf); @@ -244,6 +246,7 @@ int mapif_parse_quest_save(int fd) void mapif_send_quests(int fd, int char_id, struct quest *tmp_questlog, int num_quests) { + nullpo_retv(tmp_questlog); WFIFOHEAD(fd,num_quests*sizeof(struct quest)+8); WFIFOW(fd,0) = 0x3860; WFIFOW(fd,2) = num_quests*sizeof(struct quest)+8; -- cgit v1.2.3-70-g09d2 From d57016b84dae3f51468bf52a3784a440af93bbb7 Mon Sep 17 00:00:00 2001 From: Andrei Karas Date: Tue, 31 Mar 2015 12:34:47 +0300 Subject: Add checks to int_storage.c --- src/char/int_storage.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/char/int_storage.c b/src/char/int_storage.c index db49eb46e..7afafc406 100644 --- a/src/char/int_storage.c +++ b/src/char/int_storage.c @@ -16,6 +16,7 @@ #include "mapif.h" #include "../common/malloc.h" #include "../common/mmo.h" +#include "../common/nullpo.h" #include "../common/showmsg.h" #include "../common/socket.h" #include "../common/sql.h" @@ -28,6 +29,7 @@ struct inter_storage_interface inter_storage_s; /// Save storage data to sql int inter_storage_tosql(int account_id, struct storage_data* p) { + nullpo_ret(p); chr->memitemdata_to_sql(p->items, MAX_STORAGE, account_id, TABLE_STORAGE); return 0; } @@ -40,6 +42,7 @@ int inter_storage_fromsql(int account_id, struct storage_data* p) int i; int j; + nullpo_ret(p); memset(p, 0, sizeof(struct storage_data)); //clean up memory p->storage_amount = 0; @@ -82,6 +85,7 @@ int inter_storage_fromsql(int account_id, struct storage_data* p) /// Save guild_storage data to sql int inter_storage_guild_storage_tosql(int guild_id, struct guild_storage* p) { + nullpo_ret(p); chr->memitemdata_to_sql(p->items, MAX_GUILD_STORAGE, guild_id, TABLE_GUILD_STORAGE); ShowInfo ("guild storage save to DB - guild: %d\n", guild_id); return 0; @@ -95,6 +99,7 @@ int inter_storage_guild_storage_fromsql(int guild_id, struct guild_storage* p) int i; int j; + nullpo_ret(p); memset(p, 0, sizeof(struct guild_storage)); //clean up memory p->storage_amount = 0; p->guild_id = guild_id; @@ -297,7 +302,8 @@ int mapif_parse_ItemBoundRetrieve_sub(int fd) for( j = 0; j < MAX_SLOTS; ++j ) SQL->StmtBindColumn(stmt, 10+j, SQLDT_SHORT, &item.card[j], 0, NULL, NULL); - while( SQL_SUCCESS == SQL->StmtNextRow(stmt) ) { + while( SQL_SUCCESS == SQL->StmtNextRow(stmt)) { + Assert_retb(i >= MAX_INVENTORY); memcpy(&items[i],&item,sizeof(struct item)); i++; } -- cgit v1.2.3-70-g09d2 From c2029c1947091d59f543de911581c83e566e875c Mon Sep 17 00:00:00 2001 From: Andrei Karas Date: Tue, 31 Mar 2015 13:00:05 +0300 Subject: Add checks to inter.c --- src/char/inter.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/src/char/inter.c b/src/char/inter.c index eb14f1593..ec06df0f9 100644 --- a/src/char/inter.c +++ b/src/char/inter.c @@ -27,6 +27,7 @@ #include "../common/db.h" #include "../common/malloc.h" #include "../common/mmo.h" +#include "../common/nullpo.h" #include "../common/showmsg.h" #include "../common/socket.h" #include "../common/strlib.h" @@ -97,6 +98,7 @@ bool inter_msg_config_read(const char *cfg_name, bool allow_override) FILE *fp; static int called = 1; + nullpo_ret(cfg_name); if ((fp = fopen(cfg_name, "r")) == NULL) { ShowError("Messages file not found: %s\n", cfg_name); return 1; @@ -384,6 +386,7 @@ void inter_vmsg_to_fd(int fd, int u_fd, int aid, char* msg, va_list ap) va_list apcopy; int len = 1;/* yes we start at 1 */ + nullpo_retv(msg); va_copy(apcopy, ap); len += vsnprintf(msg_out, 512, msg, apcopy); va_end(apcopy); @@ -484,6 +487,12 @@ void mapif_parse_accinfo2(bool success, int map_fd, int u_fd, int u_aid, int acc const char *email, const char *last_ip, const char *lastlogin, const char *pin_code, const char *birthdate, int group_id, int logincount, int state) { + nullpo_retv(userid); + nullpo_retv(user_pass); + nullpo_retv(email); + nullpo_retv(last_ip); + nullpo_retv(lastlogin); + nullpo_retv(birthdate); if (map_fd <= 0 || !session_isActive(map_fd)) return; // check if we have a valid fd @@ -546,6 +555,7 @@ void mapif_parse_accinfo2(bool success, int map_fd, int u_fd, int u_aid, int acc **/ void inter_savereg(int account_id, int char_id, const char *key, unsigned int index, intptr_t val, bool is_string) { + nullpo_retv(key); /* to login server we go! */ if( key[0] == '#' && key[1] == '#' ) {/* global account reg */ if( session_isValid(chr->login_fd) ) @@ -769,6 +779,7 @@ static int inter_config_read(const char* cfgName) char line[1024], w1[1024], w2[1024]; FILE* fp; + nullpo_retr(1, cfgName); fp = fopen(cfgName, "r"); if(fp == NULL) { ShowError("File not found: %s\n", cfgName); @@ -916,6 +927,8 @@ int mapif_broadcast(unsigned char *mes, int len, unsigned int fontColor, short f { unsigned char *buf = (unsigned char*)aMalloc((len)*sizeof(unsigned char)); + nullpo_ret(mes); + Assert_ret(len >= 16); WBUFW(buf,0) = 0x3800; WBUFW(buf,2) = len; WBUFL(buf,4) = fontColor; @@ -934,8 +947,12 @@ int mapif_broadcast(unsigned char *mes, int len, unsigned int fontColor, short f int mapif_wis_message(struct WisData *wd) { unsigned char buf[2048]; + nullpo_ret(wd); //if (wd->len > 2047-56) wd->len = 2047-56; //Force it to fit to avoid crashes. [Skotlex] - if( wd->len >= sizeof(wd->msg) - 1 ) wd->len = sizeof(wd->msg) - 1; + if (wd->len < 0) + wd->len = 0; + if (wd->len >= sizeof(wd->msg) - 1) + wd->len = sizeof(wd->msg) - 1; WBUFW(buf, 0) = 0x3801; WBUFW(buf, 2) = 56 +wd->len; @@ -951,6 +968,7 @@ int mapif_wis_message(struct WisData *wd) void mapif_wis_response(int fd, unsigned char *src, int flag) { unsigned char buf[27]; + nullpo_retv(src); WBUFW(buf, 0)=0x3802; memcpy(WBUFP(buf, 2),src,24); WBUFB(buf,26)=flag; @@ -960,6 +978,7 @@ void mapif_wis_response(int fd, unsigned char *src, int flag) // Wis sending result int mapif_wis_end(struct WisData *wd, int flag) { + nullpo_ret(wd); mapif->wis_response(wd->fd, wd->src, flag); return 0; } @@ -968,6 +987,7 @@ int mapif_wis_end(struct WisData *wd, int flag) // Account registry transfer to map-server static void mapif_account_reg(int fd, unsigned char *src) { + nullpo_retv(src); WBUFW(src,0)=0x3804; //NOTE: writing to RFIFO mapif->sendallwos(fd, src, WBUFW(src,2)); } @@ -1005,6 +1025,7 @@ int inter_check_ttl_wisdata_sub(DBKey key, DBData *data, va_list ap) { int64 tick; struct WisData *wd = DB->data2ptr(data); + nullpo_ret(wd); tick = va_arg(ap, int64); if (DIFF_TICK(tick, wd->tick) > WISDATA_TTL && wis_delnum < WISDELLIST_MAX) @@ -1208,6 +1229,7 @@ int mapif_parse_RegistryRequest(int fd) void mapif_namechange_ack(int fd, int account_id, int char_id, int type, int flag, const char *const name) { + nullpo_retv(name); WFIFOHEAD(fd, NAME_LENGTH+13); WFIFOW(fd, 0) = 0x3806; WFIFOL(fd, 2) = account_id; -- cgit v1.2.3-70-g09d2 From b9640535e151f7bc74f94deb72d8e544b714984e Mon Sep 17 00:00:00 2001 From: Andrei Karas Date: Tue, 31 Mar 2015 13:04:23 +0300 Subject: Add checks to loginif.c --- src/char/loginif.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/char/loginif.c b/src/char/loginif.c index 5247e6c3e..f53d9bb71 100644 --- a/src/char/loginif.c +++ b/src/char/loginif.c @@ -14,6 +14,7 @@ #include "../common/cbasetypes.h" #include "../common/core.h" +#include "../common/nullpo.h" #include "../common/showmsg.h" #include "../common/socket.h" #include "../common/timer.h" @@ -88,6 +89,7 @@ void do_final_loginif(void) void loginif_block_account(int account_id, int flag) { + Assert_retv(chr->login_fd != -1); WFIFOHEAD(chr->login_fd,10); WFIFOW(chr->login_fd,0) = 0x2724; WFIFOL(chr->login_fd,2) = account_id; @@ -97,6 +99,7 @@ void loginif_block_account(int account_id, int flag) void loginif_ban_account(int account_id, short year, short month, short day, short hour, short minute, short second) { + Assert_retv(chr->login_fd != -1); WFIFOHEAD(chr->login_fd,18); WFIFOW(chr->login_fd, 0) = 0x2725; WFIFOL(chr->login_fd, 2) = account_id; @@ -111,6 +114,7 @@ void loginif_ban_account(int account_id, short year, short month, short day, sho void loginif_unban_account(int account_id) { + Assert_retv(chr->login_fd != -1); WFIFOHEAD(chr->login_fd,6); WFIFOW(chr->login_fd,0) = 0x272a; WFIFOL(chr->login_fd,2) = account_id; @@ -119,6 +123,7 @@ void loginif_unban_account(int account_id) void loginif_changesex(int account_id) { + Assert_retv(chr->login_fd != -1); WFIFOHEAD(chr->login_fd,6); WFIFOW(chr->login_fd,0) = 0x2727; WFIFOL(chr->login_fd,2) = account_id; @@ -127,6 +132,8 @@ void loginif_changesex(int account_id) void loginif_auth(int fd, struct char_session_data* sd, uint32 ipl) { + Assert_retv(chr->login_fd != -1); + nullpo_retv(sd); WFIFOHEAD(chr->login_fd,23); WFIFOW(chr->login_fd,0) = 0x2712; // ask login-server to authenticate an account WFIFOL(chr->login_fd,2) = sd->account_id; @@ -140,6 +147,7 @@ void loginif_auth(int fd, struct char_session_data* sd, uint32 ipl) void loginif_send_users_count(int users) { + Assert_retv(chr->login_fd != -1); WFIFOHEAD(chr->login_fd,6); WFIFOW(chr->login_fd,0) = 0x2714; WFIFOL(chr->login_fd,2) = users; @@ -148,6 +156,7 @@ void loginif_send_users_count(int users) void loginif_connect_to_server(void) { + Assert_retv(chr->login_fd != -1); WFIFOHEAD(chr->login_fd,86); WFIFOW(chr->login_fd,0) = 0x2710; memcpy(WFIFOP(chr->login_fd,2), chr->userid, NAME_LENGTH); -- cgit v1.2.3-70-g09d2 From 65ec2372eed350ba5796e9c9be0e092e5ffa4ff4 Mon Sep 17 00:00:00 2001 From: Andrei Karas Date: Tue, 31 Mar 2015 13:10:58 +0300 Subject: Add checks to pincode.c --- src/char/pincode.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/char/pincode.c b/src/char/pincode.c index b8b30a1b8..c3d2b2298 100644 --- a/src/char/pincode.c +++ b/src/char/pincode.c @@ -11,6 +11,7 @@ #include "char.h" #include "../common/cbasetypes.h" #include "../common/mmo.h" +#include "../common/nullpo.h" #include "../common/random.h" #include "../common/showmsg.h" #include "../common/socket.h" @@ -18,9 +19,10 @@ struct pincode_interface pincode_s; -void pincode_handle ( int fd, struct char_session_data* sd ) { +void pincode_handle (int fd, struct char_session_data* sd) { struct online_char_data* character = (struct online_char_data*)idb_get(chr->online_char_db, sd->account_id); + nullpo_retv(sd); if( character && character->pincode_enable > pincode->charselect ){ character->pincode_enable = pincode->charselect * 2; }else{ @@ -44,6 +46,7 @@ void pincode_handle ( int fd, struct char_session_data* sd ) { void pincode_check(int fd, struct char_session_data* sd) { char pin[5] = "\0\0\0\0"; + nullpo_retv(sd); safestrncpy(pin, (char*)RFIFOP(fd, 6), sizeof(pin)); pincode->decrypt(sd->pincode_seed, pin); if( pincode->compare( fd, sd, pin ) ){ @@ -55,6 +58,8 @@ void pincode_check(int fd, struct char_session_data* sd) { } int pincode_compare(int fd, struct char_session_data* sd, char* pin) { + nullpo_ret(sd); + nullpo_ret(pin); if( strcmp( sd->pincode, pin ) == 0 ){ sd->pincode_try = 0; return 1; @@ -70,6 +75,7 @@ int pincode_compare(int fd, struct char_session_data* sd, char* pin) { void pincode_change(int fd, struct char_session_data* sd) { char oldpin[5] = "\0\0\0\0", newpin[5] = "\0\0\0\0"; + nullpo_retv(sd); safestrncpy(oldpin, (char*)RFIFOP(fd,6), sizeof(oldpin)); pincode->decrypt(sd->pincode_seed,oldpin); if( !pincode->compare( fd, sd, oldpin ) ) @@ -85,6 +91,7 @@ void pincode_change(int fd, struct char_session_data* sd) { void pincode_setnew(int fd, struct char_session_data* sd) { char newpin[5] = "\0\0\0\0"; + nullpo_retv(sd); safestrncpy(newpin, (char*)RFIFOP(fd,6), sizeof(newpin)); pincode->decrypt(sd->pincode_seed,newpin); pincode->update( sd->account_id, newpin ); @@ -102,6 +109,7 @@ void pincode_setnew(int fd, struct char_session_data* sd) { // 7 = char select window shows a button - client sends 0x8c5 // 8 = pincode was incorrect void pincode_sendstate(int fd, struct char_session_data* sd, uint16 state) { + nullpo_retv(sd); WFIFOHEAD(fd, 12); WFIFOW(fd, 0) = 0x8b9; WFIFOL(fd, 2) = sd->pincode_seed = rnd() % 0xFFFF; @@ -111,6 +119,8 @@ void pincode_sendstate(int fd, struct char_session_data* sd, uint16 state) { } void pincode_notifyLoginPinUpdate(int account_id, char* pin) { + nullpo_retv(pin); + Assert_retv(chr->login_fd != -1); WFIFOHEAD(chr->login_fd,11); WFIFOW(chr->login_fd,0) = 0x2738; WFIFOL(chr->login_fd,2) = account_id; @@ -129,6 +139,7 @@ void pincode_decrypt(unsigned int userSeed, char* pin) { int i; char tab[10] = {0,1,2,3,4,5,6,7,8,9}; + nullpo_retv(pin); for (i = 1; i < 10; i++) { int pos; userSeed = pincode->baseSeed + userSeed * pincode->multiplier; @@ -149,6 +160,8 @@ void pincode_decrypt(unsigned int userSeed, char* pin) { bool pincode_config_read(char *w1, char *w2) { + nullpo_ret(w1); + nullpo_ret(w2); while ( true ) { if ( strcmpi(w1, "pincode_enabled") == 0 ) { pincode->enabled = atoi(w2); -- cgit v1.2.3-70-g09d2