[11321] Fixed client crash at wrong quest shift-link structure.

Protection only work with ChatStrictLinkChecking.Severity = 3 Thanks to Lugia0529 and Micks for provided testing examples. Also fixed server side infinity loops in ChatHandler::isValidChatMessage
2025-12-16 04:37:00 +00:00 · 2011-04-06 17:32:53 +04:00 · 2011-04-06 17:32:53 +04:00 · 28375e295e
commit 28375e295e
parent f46f4e1b87
2 changed files with 64 additions and 22 deletions
--- a/src/game/Chat.cpp
+++ b/src/game/Chat.cpp
@ -61,7 +61,7 @@
 // |color|Htaxinode:id|h[name]|h|r
 // |color|Htele:id|h[name]|h|r
 // |color|Htitle:id|h[name]|h|r
-// |color|Htrade:spell_id,cur_value,max_value,unk3int,unk3str|h[name]|h|r - client, spellbook profession icon shift-click
+// |color|Htrade:spell_id:cur_value:max_value:unk3int:unk3str|h[name]|h|r - client, spellbook profession icon shift-click

 bool ChatHandler::load_command_table = true;

@ -1555,11 +1555,15 @@ valid examples:
            case 'H':
                // read chars up to colon  = link type
                reader.getline(buffer, 256, ':');
+                if (reader.eof())                           // : must be
+                    return false;

                if (strcmp(buffer, "item") == 0)
                {
                    // read item entry
                    reader.getline(buffer, 256, ':');
+                    if (reader.eof())                       // : must be
+                        return false;

                    linkedItem = ObjectMgr::GetItemPrototype(atoi(buffer));
                    if(!linkedItem)
@ -1643,12 +1647,35 @@ valid examples:
                        DEBUG_LOG("ChatHandler::isValidChatMessage Questtemplate %u not found", questid);
                        return false;
                    }
-                    c = reader.peek();
-                    // level
-                    while(c !='|' && c!='\0')
+
+                    if (c !=':')
                    {
+                        DEBUG_LOG("ChatHandler::isValidChatMessage Invalid quest link structure");
+                        return false;
+                    }
+
                    reader.ignore(1);
                    c = reader.peek();
+                    // level
+                    uint32 questlevel = 0;
+                    while(c >='0' && c<='9')
+                    {
+                        reader.ignore(1);
+                        questlevel *= 10;
+                        questlevel += c-'0';
+                        c = reader.peek();
+                    }
+
+                    if (questlevel >= STRONG_MAX_LEVEL)
+                    {
+                        DEBUG_LOG("ChatHandler::isValidChatMessage Quest level %u too big", questlevel);
+                        return false;
+                    }
+
+                    if (c !='|')
+                    {
+                        DEBUG_LOG("ChatHandler::isValidChatMessage Invalid quest link structure");
+                        return false;
                    }
                }
                else if(strcmp(buffer, "trade") == 0)
@ -1658,6 +1685,9 @@ valid examples:

                    // read spell entry
                    reader.getline(buffer, 256, ':');
+                    if (reader.eof())                       // : must be
+                        return false;
+
                    linkedSpell = sSpellStore.LookupEntry(atoi(buffer));
                    if (!linkedSpell)
                        return false;
@ -1678,6 +1708,9 @@ valid examples:

                    // read talent entry
                    reader.getline(buffer, 256, ':');
+                    if (reader.eof())                       // : must be
+                        return false;
+
                    TalentEntry const *talentInfo = sTalentStore.LookupEntry(atoi(buffer));
                    if (!talentInfo)
                        return false;
@ -1736,7 +1769,11 @@ valid examples:
                {
                    if (color != CHAT_LINK_COLOR_ACHIEVEMENT)
                        return false;
+
                    reader.getline(buffer, 256, ':');
+                    if (reader.eof())                       // : must be
+                        return false;
+
                    uint32 achievementId = atoi(buffer);
                    linkedAchievement = sAchievementStore.LookupEntry(achievementId);

@ -1758,6 +1795,9 @@ valid examples:

                    // first id is slot, drop it
                    reader.getline(buffer, 256, ':');
+                    if (reader.eof())                       // : must be
+                        return false;
+
                    uint32 glyphId = 0;
                    char c = reader.peek();
                    while(c>='0' && c <='9')
@ -1793,6 +1833,8 @@ valid examples:
                        return false;
                    }
                    reader.getline(buffer, 256, ']');
+                    if (reader.eof())                       // ] must be
+                        return false;

                    // verify the link name
                    if (linkedSpell)
--- a/src/shared/revision_nr.h
+++ b/src/shared/revision_nr.h
@ -1,4 +1,4 @@
 #ifndef __REVISION_NR_H__
 #define __REVISION_NR_H__
- #define REVISION_NR "11320"
+ #define REVISION_NR "11321"
 #endif // __REVISION_NR_H__