From b6995575975ccf503be04c0533c6ce3e54dc019b Mon Sep 17 00:00:00 2001
From: Kelsi <kelsihates2fa@gmail.com>
Date: Wed, 11 Mar 2026 14:37:27 -0700
Subject: [PATCH] Cap auction count in AuctionListResultParser

SMSG_AUCTION_LIST_RESULT (Classic/TBC/WotLK) improvements:
- Cap auction count to 256 (prevents unbounded memory allocation)
- Each entry is 80-104 bytes depending on expansion
- Prevents DoS from servers sending huge auction lists
- Log warning when cap is reached

Prevents memory exhaustion from malformed auction house packets.
---
 src/game/world_packets.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/game/world_packets.cpp b/src/game/world_packets.cpp
index 42f03d1b..1d284684 100644
--- a/src/game/world_packets.cpp
+++ b/src/game/world_packets.cpp
@@ -4976,6 +4976,13 @@ bool AuctionListResultParser::parse(network::Packet& packet, AuctionListResult&
     if (packet.getSize() - packet.getReadPos() < 4) return false;
 
     uint32_t count = packet.readUInt32();
+    // Cap auction count to prevent unbounded memory allocation
+    const uint32_t MAX_AUCTION_RESULTS = 256;
+    if (count > MAX_AUCTION_RESULTS) {
+        LOG_WARNING("AuctionListResultParser: count capped (requested=", count, ")");
+        count = MAX_AUCTION_RESULTS;
+    }
+
     data.auctions.clear();
     data.auctions.reserve(count);