From 0b33bcbe53cebfd33a4fc2bf114a37c4c827b3f2 Mon Sep 17 00:00:00 2001 From: Kelsi Date: Wed, 18 Mar 2026 08:18:21 -0700 Subject: [PATCH] fix: reject oversized MonsterMove spline and fix loot format comment Change WotLK MonsterMove pointCount > 1000 from cap-to-1000 to return false. Capping caused the parser to read only 1000 of N points, leaving the remaining point data unread and misaligning subsequent reads. Also correct misleading loot response comment: Classic/TBC DO include randomSuffix and randomPropertyId (22 bytes/item, same as WotLK). The only WotLK difference is the quest item list appended after regular items. --- src/game/game_handler.cpp | 4 ++-- src/game/world_packets.cpp | 5 ++--- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/src/game/game_handler.cpp b/src/game/game_handler.cpp index 77fe91b5..8b96c8e4 100644 --- a/src/game/game_handler.cpp +++ b/src/game/game_handler.cpp @@ -21253,8 +21253,8 @@ void GameHandler::unstuckHearth() { } void GameHandler::handleLootResponse(network::Packet& packet) { - // Classic 1.12 and TBC 2.4.3 use 14 bytes/item (no randomSuffix/randomProp fields); - // WotLK 3.3.5a uses 22 bytes/item. + // All expansions use 22 bytes/item (slot+itemId+count+displayInfo+randSuffix+randProp+slotType). + // WotLK adds a quest item list after the regular items. const bool wotlkLoot = isActiveExpansion("wotlk"); if (!LootResponseParser::parse(packet, currentLoot, wotlkLoot)) return; const bool hasLoot = !currentLoot.items.empty() || currentLoot.gold > 0; diff --git a/src/game/world_packets.cpp b/src/game/world_packets.cpp index 24a2b4fb..d9f40091 100644 --- a/src/game/world_packets.cpp +++ b/src/game/world_packets.cpp @@ -3252,12 +3252,11 @@ bool MonsterMoveParser::parse(network::Packet& packet, MonsterMoveData& data) { if (pointCount == 0) return true; - // Cap pointCount to prevent excessive iteration from malformed packets. constexpr uint32_t kMaxSplinePoints = 1000; if (pointCount > kMaxSplinePoints) { LOG_WARNING("SMSG_MONSTER_MOVE: pointCount=", pointCount, " exceeds max ", kMaxSplinePoints, - " (guid=0x", std::hex, data.guid, std::dec, "), capping"); - pointCount = kMaxSplinePoints; + " (guid=0x", std::hex, data.guid, std::dec, ")"); + return false; } // Catmullrom or Flying → all waypoints stored as absolute float3 (uncompressed).