* Fix a crash in Player::BuyItemFromVendor caused by player spoofing packets (Backported from TC2)

* Another crash exploit prevention using the same method in Bag::StoreItem, by Visagalis --HG-- branch : trunk
author: Machiavelli <none@none> 2009-06-24 19:58:01 +0200
committer: Machiavelli <none@none> 2009-06-24 19:58:01 +0200
commit: 7fd26a5fee28cc875aff421ae38df61e259a5fc9 (patch)
tree: 67a598fec09ae307cc486966c22f24026e9422b8
parent: 13110a35c469d3a9087e604aaf336237c0573a3a (diff)
2 files changed, 9 insertions, 1 deletions
diff --git a/src/game/Bag.cpp b/src/game/Bag.cpp
index 331b12acde5..a4b7bcb5c2d 100644
--- a/src/game/Bag.cpp
+++ b/src/game/Bag.cpp
@@ -151,7 +151,11 @@ void Bag::RemoveItem( uint8 slot, bool /*update*/ )
 
 void Bag::StoreItem( uint8 slot, Item *pItem, bool /*update*/ )
 {
-    assert(slot < MAX_BAG_SIZE);
+    if(slot > MAX_BAG_SIZE)
+    {
+        sLog.outError("Player GUID" UI64FMTD "tried to manipulate packets and crash the server.", GetOwnerGUID());
+        return;
+    }
 
     if( pItem )
     {
diff --git a/src/game/Player.cpp b/src/game/Player.cpp
index b24b3da2ace..7e400be4cb0 100644
--- a/src/game/Player.cpp
+++ b/src/game/Player.cpp
@@ -17131,6 +17131,10 @@ bool Player::BuyItemFromVendor(uint64 vendorguid, uint32 item, uint8 count, uint
 {
     // cheating attempt
     if(count < 1) count = 1;
+    
+    // cheating attempt
+    if(slot > MAX_BAG_SIZE)
+        return false;
 
     if(!isAlive())
         return false;
author	Machiavelli <none@none>	2009-06-24 19:58:01 +0200
committer	Machiavelli <none@none>	2009-06-24 19:58:01 +0200
commit	7fd26a5fee28cc875aff421ae38df61e259a5fc9 (patch)
tree	67a598fec09ae307cc486966c22f24026e9422b8
parent	13110a35c469d3a9087e604aaf336237c0573a3a (diff)