From 7fd26a5fee28cc875aff421ae38df61e259a5fc9 Mon Sep 17 00:00:00 2001
From: Machiavelli <none@none>
Date: Wed, 24 Jun 2009 19:58:01 +0200
Subject: * Fix a crash in Player::BuyItemFromVendor caused by player spoofing
 packets (Backported from TC2) * Another crash exploit prevention using the
 same method in Bag::StoreItem, by Visagalis

--HG--
branch : trunk
---
 src/game/Bag.cpp    | 6 +++++-
 src/game/Player.cpp | 4 ++++
 2 files changed, 9 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/game/Bag.cpp b/src/game/Bag.cpp
index 331b12acde5..a4b7bcb5c2d 100644
--- a/src/game/Bag.cpp
+++ b/src/game/Bag.cpp
@@ -151,7 +151,11 @@ void Bag::RemoveItem( uint8 slot, bool /*update*/ )
 
 void Bag::StoreItem( uint8 slot, Item *pItem, bool /*update*/ )
 {
-    assert(slot < MAX_BAG_SIZE);
+    if(slot > MAX_BAG_SIZE)
+    {
+        sLog.outError("Player GUID" UI64FMTD "tried to manipulate packets and crash the server.", GetOwnerGUID());
+        return;
+    }
 
     if( pItem )
     {
diff --git a/src/game/Player.cpp b/src/game/Player.cpp
index b24b3da2ace..7e400be4cb0 100644
--- a/src/game/Player.cpp
+++ b/src/game/Player.cpp
@@ -17131,6 +17131,10 @@ bool Player::BuyItemFromVendor(uint64 vendorguid, uint32 item, uint8 count, uint
 {
     // cheating attempt
     if(count < 1) count = 1;
+    
+    // cheating attempt
+    if(slot > MAX_BAG_SIZE)
+        return false;
 
     if(!isAlive())
         return false;
-- 
cgit v1.2.3