fix: reject oversized MonsterMove spline and fix loot format comment

Change WotLK MonsterMove pointCount > 1000 from cap-to-1000 to return
false. Capping caused the parser to read only 1000 of N points, leaving
the remaining point data unread and misaligning subsequent reads.

Also correct misleading loot response comment: Classic/TBC DO include
randomSuffix and randomPropertyId (22 bytes/item, same as WotLK). The
only WotLK difference is the quest item list appended after regular
items.

src/game/game_handler.cpp

@@ -21253,8 +21253,8 @@ void GameHandler::unstuckHearth() {
 }
 
 void GameHandler::handleLootResponse(network::Packet& packet) {
-    // Classic 1.12 and TBC 2.4.3 use 14 bytes/item (no randomSuffix/randomProp fields);
-    // WotLK 3.3.5a uses 22 bytes/item.
+    // All expansions use 22 bytes/item (slot+itemId+count+displayInfo+randSuffix+randProp+slotType).
+    // WotLK adds a quest item list after the regular items.
     const bool wotlkLoot = isActiveExpansion("wotlk");
     if (!LootResponseParser::parse(packet, currentLoot, wotlkLoot)) return;
     const bool hasLoot = !currentLoot.items.empty() || currentLoot.gold > 0;

src/game/world_packets.cpp

@@ -3252,12 +3252,11 @@ bool MonsterMoveParser::parse(network::Packet& packet, MonsterMoveData& data) {
 
     if (pointCount == 0) return true;
 
-    // Cap pointCount to prevent excessive iteration from malformed packets.
     constexpr uint32_t kMaxSplinePoints = 1000;
     if (pointCount > kMaxSplinePoints) {
         LOG_WARNING("SMSG_MONSTER_MOVE: pointCount=", pointCount, " exceeds max ", kMaxSplinePoints,
-                    " (guid=0x", std::hex, data.guid, std::dec, "), capping");
-        pointCount = kMaxSplinePoints;
+                    " (guid=0x", std::hex, data.guid, std::dec, ")");
+        return false;
     }
 
     // Catmullrom or Flying → all waypoints stored as absolute float3 (uncompressed).