summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHaru <haru@dotalux.com>2019-10-18 12:38:00 +0200
committerGitHub <noreply@github.com>2019-10-18 12:38:00 +0200
commitbe66e6f50c078cb712b8152357325fdaa6d9f35f (patch)
treedfc92d7a13c41f5ae55265fd9358072364a48449
parent9c5fb5b20cb2ada454f6acc39b9ad0c30d86cc55 (diff)
parentd3bf0f5d82f83ddd352047318e292194d98454ab (diff)
downloadhercules-be66e6f50c078cb712b8152357325fdaa6d9f35f.tar.gz
hercules-be66e6f50c078cb712b8152357325fdaa6d9f35f.tar.bz2
hercules-be66e6f50c078cb712b8152357325fdaa6d9f35f.tar.xz
hercules-be66e6f50c078cb712b8152357325fdaa6d9f35f.zip
Merge pull request #2540 from dastgirp/fix/buffer-overflow-npcshopdel
Fixed heap-buffer-overflow on npcshopdelitem
-rw-r--r--src/map/script.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/src/map/script.c b/src/map/script.c
index 0fe97574c..fffe57c34 100644
--- a/src/map/script.c
+++ b/src/map/script.c
@@ -18494,10 +18494,12 @@ static BUILDIN(npcshopdelitem)
unsigned int nameid = script_getnum(st,i);
ARR_FIND(0, size, n, nd->u.shop.shop_item[n].nameid == nameid);
- if (n < size) {
- memmove(&nd->u.shop.shop_item[n], &nd->u.shop.shop_item[n+1], sizeof(nd->u.shop.shop_item[0])*(size-n));
- size--;
+ if (n == size) {
+ continue;
+ } else if (n < size - 1) {
+ memmove(&nd->u.shop.shop_item[n], &nd->u.shop.shop_item[n+1], sizeof(nd->u.shop.shop_item[0]) * (size - n - 1));
}
+ size--;
}
RECREATE(nd->u.shop.shop_item, struct npc_item_list, size);