From ffa6dda4d9987be9ed90605b67e37b7f1f3b632f Mon Sep 17 00:00:00 2001 From: Kelsi Date: Sat, 14 Mar 2026 10:48:20 -0700 Subject: [PATCH] fix(combatlog): validate packed GUID bounds in attacker state parsers --- src/game/packet_parsers_classic.cpp | 10 +++++++++- src/game/world_packets.cpp | 8 ++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/src/game/packet_parsers_classic.cpp b/src/game/packet_parsers_classic.cpp index 3d3e1a92..e99329b3 100644 --- a/src/game/packet_parsers_classic.cpp +++ b/src/game/packet_parsers_classic.cpp @@ -489,9 +489,17 @@ bool ClassicPacketParsers::parseAttackerStateUpdate(network::Packet& packet, Att auto rem = [&]() { return packet.getSize() - packet.getReadPos(); }; if (rem() < 5) return false; // hitInfo(4) + at least GUID mask byte(1) + const size_t startPos = packet.getReadPos(); data.hitInfo = packet.readUInt32(); + if (!hasFullPackedGuid(packet)) { + packet.setReadPos(startPos); + return false; + } data.attackerGuid = UpdateObjectParser::readPackedGuid(packet); // PackedGuid in Vanilla - if (rem() < 1) return false; + if (!hasFullPackedGuid(packet)) { + packet.setReadPos(startPos); + return false; + } data.targetGuid = UpdateObjectParser::readPackedGuid(packet); // PackedGuid in Vanilla if (rem() < 5) return false; // int32 totalDamage + uint8 subDamageCount diff --git a/src/game/world_packets.cpp b/src/game/world_packets.cpp index c52be440..82126379 100644 --- a/src/game/world_packets.cpp +++ b/src/game/world_packets.cpp @@ -3343,7 +3343,15 @@ bool AttackerStateUpdateParser::parse(network::Packet& packet, AttackerStateUpda size_t startPos = packet.getReadPos(); data.hitInfo = packet.readUInt32(); + if (!hasFullPackedGuid(packet)) { + packet.setReadPos(startPos); + return false; + } data.attackerGuid = UpdateObjectParser::readPackedGuid(packet); + if (!hasFullPackedGuid(packet)) { + packet.setReadPos(startPos); + return false; + } data.targetGuid = UpdateObjectParser::readPackedGuid(packet); // Validate totalDamage + subDamageCount can be read (5 bytes)