Fixed heap-buffer-overflow on npcshopdelitem

dastgirp · dastgirp · commit d3bf0f5d82f8 · 2019-10-02T11:56:43.000+05:30
npcshopdelitem now moves data within structure size.
diff --git a/src/map/script.c b/src/map/script.c
@@ -18030,10 +18030,12 @@ static BUILDIN(npcshopdelitem)
 		unsigned int nameid = script_getnum(st,i);
 
 		ARR_FIND(0, size, n, nd->u.shop.shop_item[n].nameid == nameid);
-		if (n < size) {
-			memmove(&nd->u.shop.shop_item[n], &nd->u.shop.shop_item[n+1], sizeof(nd->u.shop.shop_item[0])*(size-n));
-			size--;
+		if (n == size) {
+			continue;
+		} else if (n < size - 1) {
+			memmove(&nd->u.shop.shop_item[n], &nd->u.shop.shop_item[n+1], sizeof(nd->u.shop.shop_item[0]) * (size - n - 1));
 		}
+		size--;
 	}
 
 	RECREATE(nd->u.shop.shop_item, struct npc_item_list, size);

Original file line number	Diff line number	Diff line change
`@@ -18030,10 +18030,12 @@ static BUILDIN(npcshopdelitem)`
`18030`	`18030`	`unsigned int nameid = script_getnum(st,i);`
`18031`	`18031`
`18032`	`18032`	`ARR_FIND(0, size, n, nd->u.shop.shop_item[n].nameid == nameid);`
`18033`		`- if (n < size) {`
`18034`		`- memmove(&nd->u.shop.shop_item[n], &nd->u.shop.shop_item[n+1], sizeof(nd->u.shop.shop_item[0])*(size-n));`
`18035`		`- size--;`
	`18033`	`+ if (n == size) {`
	`18034`	`+ continue;`
	`18035`	`+ } else if (n < size - 1) {`
	`18036`	`+ memmove(&nd->u.shop.shop_item[n], &nd->u.shop.shop_item[n+1], sizeof(nd->u.shop.shop_item[0]) * (size - n - 1));`
`18036`	`18037`	`}`
	`18038`	`+ size--;`
`18037`	`18039`	`}`
`18038`	`18040`
`18039`	`18041`	`RECREATE(nd->u.shop.shop_item, struct npc_item_list, size);`