From 799daaae551556fce9a261c1280dd54cfd45aedd Mon Sep 17 00:00:00 2001
From: jackpoz <giacomopoz@gmail.com>
Date: Mon, 30 Dec 2013 16:15:37 +0100
Subject: Core/Transports: Fix array overflow

Fix an array overflow in TransportMgr::GeneratePath() spline code.

Valgrind log:
 Invalid read of size 4
  at : G3D::Vector3::operator*(float) const (Vector3.h:650)
  by : Movement::C_Evaluate(G3D::Vector3 const*, float, G3D::Matrix4 const&, G3D::Vector3&) (Spline.cpp:103)
  by : Movement::SplineBase::SegLengthCatmullRom(int) const (Spline.cpp:171)
  by : Movement::SplineBase::SegLength(int) const (in /home/jackpoz/trinity/bin/worldserver)
  by : Movement::Spline<double>::initLengths() (SplineImpl.h:86)
  by : TransportMgr::GeneratePath(GameObjectTemplate const*, TransportTemplate*) (TransportMgr.cpp:125)
  by : TransportMgr::LoadTransportTemplates() (TransportMgr.cpp:78)
 Address 0x1d07d154  is 8 bytes after a block of size 300 alloc'd
---
 src/server/game/Maps/TransportMgr.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/server/game/Maps')

diff --git a/src/server/game/Maps/TransportMgr.cpp b/src/server/game/Maps/TransportMgr.cpp
index 8e768924eb8..328342ab303 100644
--- a/src/server/game/Maps/TransportMgr.cpp
+++ b/src/server/game/Maps/TransportMgr.cpp
@@ -98,7 +98,7 @@ public:
         cyclic = false;
         points.assign(_points.begin(), _points.end());
         lo = 1;
-        hi = points.size();
+        hi = points.size() - 2;
     }
 
     Movement::PointsArray& _points;
-- 
cgit v1.2.3