[Bug Fix] Fix two invalid data accesses in zone/client.cpp (#2238)

* Correct potential read out of bounds on array in Client::Doppelganger * Correct potential read out of bounds in Client::ChannelMessageSend * Corrected logic to not read out of bounds on the lower end.
2026-02-21 09:32:25 +00:00 · 2022-06-06 20:26:36 -07:00 · 2022-06-06 20:26:36 -07:00 · 243fb781e8
commit 243fb781e8
parent ec4d228dd5
1 changed files with 4 additions and 5 deletions
--- a/zone/client.cpp
+++ b/zone/client.cpp
@ -1291,7 +1291,7 @@ void Client::ChannelMessageSend(const char* from, const char* to, uint8 chan_num

 	if (senderCanTrainSelf || weAreNotSender) {
 		if ((chan_num == ChatChannel_Group) && (ListenerSkill < 100)) {	// group message in unmastered language, check for skill up
-			if (m_pp.languages[language] <= lang_skill)
+			if (language < MAX_PP_LANGUAGE && m_pp.languages[language] <= lang_skill)
 				CheckLanguageSkillIncrease(language, lang_skill);
 		}
 	}
@ -6519,8 +6519,7 @@ void Client::Doppelganger(uint16 spell_id, Mob *target, const char *name_overrid

 	npc_type = made_npc;

-	int summon_count = 0;
-	summon_count = pet.count;
+	int summon_count = pet.count;

 	if(summon_count > MAX_SWARM_PETS)
 		summon_count = MAX_SWARM_PETS;
@ -6541,7 +6540,7 @@ void Client::Doppelganger(uint16 spell_id, Mob *target, const char *name_overrid
 		NPC* swarm_pet_npc = new NPC(
 				(npc_dup!=nullptr)?npc_dup:npc_type,	//make sure we give the NPC the correct data pointer
 				0,
-				GetPosition() + glm::vec4(swarmPetLocations[summon_count], 0.0f, 0.0f),
+				GetPosition() + glm::vec4(swarmPetLocations[summon_count - 1], 0.0f, 0.0f),
 				GravityBehavior::Water);

 		if(!swarm_pet_npc->GetSwarmInfo()){
@ -11753,4 +11752,4 @@ void Client::Undye()
 	}

 	database.DeleteCharacterDye(CharacterID());
-}
+}