fix(combatlog): validate packed GUID bounds in attacker state parsers

2026-03-22 23:30:14 +00:00 · 2026-03-14 10:48:20 -07:00 · 2026-03-14 10:48:20 -07:00 · ffa6dda4d9
commit ffa6dda4d9
parent 5a9be91fac
2 changed files with 17 additions and 1 deletions
--- a/src/game/packet_parsers_classic.cpp
+++ b/src/game/packet_parsers_classic.cpp
@ -489,9 +489,17 @@ bool ClassicPacketParsers::parseAttackerStateUpdate(network::Packet& packet, Att
    auto rem = [&]() { return packet.getSize() - packet.getReadPos(); };
    if (rem() < 5) return false;  // hitInfo(4) + at least GUID mask byte(1)

+    const size_t startPos = packet.getReadPos();
    data.hitInfo      = packet.readUInt32();
+    if (!hasFullPackedGuid(packet)) {
+        packet.setReadPos(startPos);
+        return false;
+    }
    data.attackerGuid = UpdateObjectParser::readPackedGuid(packet); // PackedGuid in Vanilla
-    if (rem() < 1) return false;
+    if (!hasFullPackedGuid(packet)) {
+        packet.setReadPos(startPos);
+        return false;
+    }
    data.targetGuid   = UpdateObjectParser::readPackedGuid(packet); // PackedGuid in Vanilla

    if (rem() < 5) return false;  // int32 totalDamage + uint8 subDamageCount
--- a/src/game/world_packets.cpp
+++ b/src/game/world_packets.cpp
@ -3343,7 +3343,15 @@ bool AttackerStateUpdateParser::parse(network::Packet& packet, AttackerStateUpda

    size_t startPos = packet.getReadPos();
    data.hitInfo = packet.readUInt32();
+    if (!hasFullPackedGuid(packet)) {
+        packet.setReadPos(startPos);
+        return false;
+    }
    data.attackerGuid = UpdateObjectParser::readPackedGuid(packet);
+    if (!hasFullPackedGuid(packet)) {
+        packet.setReadPos(startPos);
+        return false;
+    }
    data.targetGuid = UpdateObjectParser::readPackedGuid(packet);

    // Validate totalDamage + subDamageCount can be read (5 bytes)