From cbb42ac58f44a4fff3f46a5f1b968d5567059548 Mon Sep 17 00:00:00 2001
From: Kelsi <kelsihates2fa@gmail.com>
Date: Fri, 27 Mar 2026 14:20:28 -0700
Subject: [PATCH] fix: guard spline point loop against unsigned underflow when
 pointCount==1

The uncompressed spline skip loop used `pointCount - 1` in its bound
without guarding pointCount > 1. While pointCount==0 is already handled
by an early return, pointCount==1 would correctly iterate 0 times, but
the explicit guard makes the intent clearer and prevents future issues
if the early return is ever removed.
---
 src/game/world_packets.cpp | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/game/world_packets.cpp b/src/game/world_packets.cpp
index 84ec7002..016d89bb 100644
--- a/src/game/world_packets.cpp
+++ b/src/game/world_packets.cpp
@@ -3167,9 +3167,11 @@ bool MonsterMoveParser::parse(network::Packet& packet, MonsterMoveData& data) {
     if (uncompressed) {
         // Read last point as destination
         // Skip to last point: each point is 12 bytes
-        for (uint32_t i = 0; i < pointCount - 1; i++) {
-            if (!packet.hasRemaining(12)) return true;
-            packet.readFloat(); packet.readFloat(); packet.readFloat();
+        if (pointCount > 1) {
+            for (uint32_t i = 0; i < pointCount - 1; i++) {
+                if (!packet.hasRemaining(12)) return true;
+                packet.readFloat(); packet.readFloat(); packet.readFloat();
+            }
         }
         if (!packet.hasRemaining(12)) return true;
         data.destX = packet.readFloat();