From d3bf0f5d82f83ddd352047318e292194d98454ab Mon Sep 17 00:00:00 2001
From: Dastgir <dastgirp@gmail.com>
Date: Tue, 1 Oct 2019 19:51:35 +0530
Subject: Fixed heap-buffer-overflow on npcshopdelitem npcshopdelitem now moves
 data within structure size.

---
 src/map/script.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/map/script.c b/src/map/script.c
index b787d0138..c66ebf481 100644
--- a/src/map/script.c
+++ b/src/map/script.c
@@ -18030,10 +18030,12 @@ static BUILDIN(npcshopdelitem)
 		unsigned int nameid = script_getnum(st,i);
 
 		ARR_FIND(0, size, n, nd->u.shop.shop_item[n].nameid == nameid);
-		if (n < size) {
-			memmove(&nd->u.shop.shop_item[n], &nd->u.shop.shop_item[n+1], sizeof(nd->u.shop.shop_item[0])*(size-n));
-			size--;
+		if (n == size) {
+			continue;
+		} else if (n < size - 1) {
+			memmove(&nd->u.shop.shop_item[n], &nd->u.shop.shop_item[n+1], sizeof(nd->u.shop.shop_item[0]) * (size - n - 1));
 		}
+		size--;
 	}
 
 	RECREATE(nd->u.shop.shop_item, struct npc_item_list, size);
-- 
cgit v1.2.3-70-g09d2