From f9f72c9d4a8c46587d06ba7c95c07d889be2c803 Mon Sep 17 00:00:00 2001 From: Ibrahim Zidan Date: Sat, 4 Apr 2020 01:44:39 +0200 Subject: Fix quest info copying npc_data instead of storing it pointer, resulting in always false comparison and even possible memory violation access Signed-off-by: Ibrahim Zidan --- src/map/map.c | 6 +++--- src/map/map.h | 2 +- src/map/quest.c | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/map/map.c b/src/map/map.c index defa56b2e..6ebc50ba3 100644 --- a/src/map/map.c +++ b/src/map/map.c @@ -6047,11 +6047,11 @@ static bool map_add_questinfo(int m, struct npc_data *nd) nullpo_retr(false, nd); Assert_retr(false, m >= 0 && m < map->count); - if (&VECTOR_LAST(map->list[m].qi_list) == nd) + if (VECTOR_LAST(map->list[m].qi_list) == nd) return false; VECTOR_ENSURE(map->list[m].qi_list, 1, 1); - VECTOR_PUSH(map->list[m].qi_list, *nd); + VECTOR_PUSH(map->list[m].qi_list, nd); return true; } @@ -6062,7 +6062,7 @@ static bool map_remove_questinfo(int m, struct npc_data *nd) Assert_retr(false, m >= 0 && m < map->count); int i; - ARR_FIND(0, VECTOR_LENGTH(map->list[m].qi_list), i, &VECTOR_INDEX(map->list[m].qi_list, i) == nd); + ARR_FIND(0, VECTOR_LENGTH(map->list[m].qi_list), i, VECTOR_INDEX(map->list[m].qi_list, i) == nd); if (i != VECTOR_LENGTH(map->list[m].qi_list)) { VECTOR_ERASE(map->list[m].qi_list, i); return true; diff --git a/src/map/map.h b/src/map/map.h index a876539d0..2de6df2f7 100644 --- a/src/map/map.h +++ b/src/map/map.h @@ -846,7 +846,7 @@ struct map_data { } cell_buf; /* questinfo entries list */ - VECTOR_DECL(struct npc_data) qi_list; + VECTOR_DECL(struct npc_data *) qi_list; /* speeds up clif_updatestatus processing by causing hpmeter to run only when someone with the permission can view it */ unsigned short hpmeter_visible; diff --git a/src/map/quest.c b/src/map/quest.c index 10ea668a6..217acfa19 100644 --- a/src/map/quest.c +++ b/src/map/quest.c @@ -675,7 +675,7 @@ static void quest_questinfo_refresh(struct map_session_data *sd) nullpo_retv(sd); for (int i = 0; i < VECTOR_LENGTH(map->list[sd->bl.m].qi_list); i++) { - struct npc_data *nd = &VECTOR_INDEX(map->list[sd->bl.m].qi_list, i); + struct npc_data *nd = VECTOR_INDEX(map->list[sd->bl.m].qi_list, i); int j; ARR_FIND(0, VECTOR_LENGTH(nd->qi_data), j, quest->questinfo_validate(sd, &VECTOR_INDEX(nd->qi_data, j)) == true); -- cgit v1.2.3-70-g09d2 From 58c4ce73b9fdc1d67a928e37742510bf49bb7dbc Mon Sep 17 00:00:00 2001 From: Ibrahim Zidan Date: Sat, 4 Apr 2020 02:48:42 +0200 Subject: Fixed a memory violation in quest info caused by accessing -1 index when qi_list vector length is 0 Signed-off-by: Ibrahim Zidan --- src/map/map.c | 6 +++++- src/map/script.c | 5 +++-- 2 files changed, 8 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/map/map.c b/src/map/map.c index 6ebc50ba3..b2c9c77c3 100644 --- a/src/map/map.c +++ b/src/map/map.c @@ -6047,8 +6047,12 @@ static bool map_add_questinfo(int m, struct npc_data *nd) nullpo_retr(false, nd); Assert_retr(false, m >= 0 && m < map->count); - if (VECTOR_LAST(map->list[m].qi_list) == nd) + int i; + ARR_FIND(0, VECTOR_LENGTH(map->list[m].qi_list), i, VECTOR_INDEX(map->list[m].qi_list, i) == nd); + + if (i < VECTOR_LENGTH(map->list[m].qi_list)) { return false; + } VECTOR_ENSURE(map->list[m].qi_list, 1, 1); VECTOR_PUSH(map->list[m].qi_list, nd); diff --git a/src/map/script.c b/src/map/script.c index b8a7979a7..9a2b0f757 100644 --- a/src/map/script.c +++ b/src/map/script.c @@ -22021,12 +22021,13 @@ static BUILDIN(setquestinfo) return false; } - qi = &VECTOR_LAST(nd->qi_data); - if (qi == NULL) { + if (VECTOR_LENGTH(nd->qi_data) == 0) { ShowWarning("buildin_setquestinfo: no valide questinfo data has been found for this npc.\n"); return false; } + qi = &VECTOR_LAST(nd->qi_data); + switch (type) { case QINFO_JOB: { -- cgit v1.2.3-70-g09d2