The old `// lgtm [cpp/...]` comments used a space (invalid syntax) and
were placed on preceding lines rather than inline with the flagged code.
GitHub's CodeQL action v3 requires `// codeql[query-id]` on the same
line as the flagged expression. All four alert sites updated:
- world_socket.cpp: encryptCipher/decryptCipher.init() (protocol RC4)
- warden_module.cpp: decryptRC4() call (Warden protocol RC4)
- warden_crypto.cpp: initRC4() calls (Warden stream cipher init)
- game_handler.cpp: wardenLoadedModule_->load() (MD5+RC4 via Warden)
All uses are protocol-mandated by Blizzard's WoW/Warden spec and cannot
be replaced without breaking server interoperability.
TBC 2.4.3 SMSG_ITEM_QUERY_SINGLE_RESPONSE differs from WotLK: no Flags2,
no BuyCount, statsCount-many stat pairs (not always 10), and no
ScalingStatDistribution/ScalingStatValue. Without this override,
TbcPacketParsers fell back to the WotLK parser and misread stats/armor
with a cascading 16-byte offset. Classic (Vanilla) was already safe via
its own independent ClassicPacketParsers::parseItemQueryResponse().
SMSG_ITEM_QUERY_SINGLE_RESPONSE in WotLK 3.3.5a sends BuyCount as a
separate field before BuyPrice. The parser was skipping only one of the
two fields, shifting every subsequent read by 4 bytes. This caused
statsCount to be read from ContainerSlots (always 0 for non-bags) so
no stat pairs were parsed, and the armor field was read from the wrong
offset in the damage block — leaving all stat bonuses and armor at 0.
Also moved armor above stat bonuses in the item tooltip to match WoW's
canonical tooltip layout (armor, then green stat lines).
Previously other players jittered because the entity sat frozen at its
destination between movement packets, then snapped to the new start
position on the next packet (stop-pop-stop-pop at ~10 Hz).
Entity interpolation now tracks a smoothed velocity and dead-reckons
past the end of each packet window, so the entity keeps gliding at the
estimated speed until the next server update arrives. Movement stops
only after two consecutive intervals with no new packet (entity has
genuinely stopped).
Also replaced the raw packet-delta duration with an exponential moving
average (EMA) per player. A single slow or fast packet no longer spikes
the playback speed; the EMA converges on the actual send rate (~100 ms)
and absorbs jitter without adding a fixed input-latency penalty.
- game_handler.cpp: use-after-move on node.id after std::move(node)
(save nodeId before the move)
- tcp_socket.cpp, world_socket.cpp: virtual call in destructor bypasses
dispatch; use qualified TCPSocket::disconnect() / WorldSocket::disconnect()
to make intent explicit
- wmo_renderer.cpp: float loop counters risk precision drift; replace with
integer step counts and reconstruct float from index
- game_screen.cpp: (float + 0.5) cast to int is incorrect rounding;
use std::lround instead
Copy Wowee.ico into the build tree at configure time so llvm-rc can
resolve the relative assets\\wowee.ico path in wowee.rc. Also remove a
redundant #include <sys/mman.h> that was incorrectly placed inside a
function body.
warden_emulator.cpp: guard unicorn include + entire implementation with
HAVE_UNICORN; provide stub implementations for platforms without Unicorn
(Windows ARM64 which has no unicorn MSYS2 package)
warden_module.cpp: include <windows.h> for VirtualAlloc/HMODULE/etc on
Windows; always include warden_emulator.hpp so unique_ptr destructor compiles
regardless of HAVE_UNICORN
world_packets.hpp + game_handler.cpp: rename CharCreateResult::ERROR to
CharCreateResult::CHAR_ERROR to avoid wingdi.h #define ERROR 0 collision
Guard X11 display crash handler with __linux__, add Windows GlobalMemoryStatusEx
path in memory_monitor, guard warden cache paths with APPDATA on Windows, and
make pkg-config optional in CMakeLists with a find_library fallback. Add Windows
x86-64 CI job using MSYS2 MINGW64 to the build workflow.
SMSG_QUEST_QUERY_RESPONSE skipped only 18 uint32s before reading the
title string, but Classic layout has 40 fields before the title
(16 header + 8 reward items + 12 choice items + 4 POI fields).
Reading from the wrong position landed inside reward item data where
empty slots contain 0-bytes, so readString() returned "", overwriting
the "Quest #N" placeholder with an empty title — making quests
invisible in the UI even though they were in the quest log.
Fixes:
- Expansion-aware skip count: 40 for Classic/Turtle, 55 for WotLK
- Guard: only update title if parsed string is non-empty and printable
- Also scan quest log fields in VALUES update path (not just CREATE_OBJECT2),
so quests are detected even when the server sends partial updates
- Add Entity::setOrientation() to update facing without cancelling movement
- Force attacker and victim to face each other on SMSG_ATTACKSTART
- Fix orientation sign error in MonsterMove: use atan2(-dy, dx) throughout so
NPCs don't glide backward; clamp FacingAngle moves that are >90° off travel vector
- Tab-target: skip dead units and non-hostiles at both build and advance time;
stale entries (killed between presses) are skipped inline rather than cycling to them
- Spirit healer resurrection: detect same-map SMSG_NEW_WORLD with resurrectPending_
and skip the full world reload/entity clear, preventing the fall-forever bug
- add per-frame nearby creature render sync from entity positions/orientation to prevent model-vs-target-circle drift
- treat lootable dynflag as dead state hint for unit spawn/deferred-display paths
- fire NPC death callback when a late display spawn is already dead/lootable
- remove loot-response money fallback announce/SFX to stop duplicate copper messages on re-opened corpses
- use movement animation (prefer run, fallback walk) for server-driven creature moves
- synthesize short movement duration for duration-less movement deltas to avoid glide/attack-pose sliding
- return to idle after both walk/run movement states
- drive target circle from entity latest position and always interpolate selected/engaged targets
- propagate item damage range and delay into ItemDef during inventory rebuild
- show weapon damage, speed, and DPS in inventory/character slot tooltips
- fix online spawn camera pitch sign so third-person camera starts above ground
- parse and cache item class/subclass, damage range, and attack delay from item query responses
- render weapon damage, speed, and DPS in the shared item-link tooltip
- render weapon damage, speed, and DPS in vendor hover tooltips
- keep armor and primary stat lines intact
- send CMSG_BUY_ITEM as vendorGuid + itemId + count (drop extra slot/bag fields)
- reset vendor list state before parsing SMSG_LIST_INVENTORY to prevent stale items carrying over
- add packet length guards for list-inventory header and per-item rows
- keep optional extended-cost parsing for cross-core compatibility
