fix ShopEx Buffer Overflow Fix

[Luigina 16]

Hello community !

I found an issue when i was checking ShopEx system. If your pack_tab size is bigger than default m2 / SHOP_HOST_ITEM_MAX_NUM is bigger than default this overflow occurs.
This causes a core crash as seen in the screenshot below: 

https://metin2.download/picture/n2KPdWX19ovTCs9nLW684fA6IibqhrTu/.png

Solution

I use temp buffer for handle better but you can change 8096 too. 

To solve this problem, you can follow these steps:

// In shopEx.cpp

--------------------------------------------------------------
// Search

	char temp[8096];
	char* buf = &temp[0];
	size_t size = 0;

// Change like this

	TEMP_BUFFER buf(16 * 1024);
--------------------------------------------------------------
// Search

		memcpy(buf, &pack_tab, sizeof(pack_tab));
		buf += sizeof(pack_tab);
		size += sizeof(pack_tab);

// Change like this

		buf.write(&pack_tab, sizeof(pack_tab));
--------------------------------------------------------------
// Search

	pack.size = sizeof(pack) + sizeof(pack2) + size;

// Change like this

	pack.size = sizeof(pack) + sizeof(pack2) + buf.size();
--------------------------------------------------------------
// Search
  
	ch->GetDesc()->Packet(temp, size);

// Change like this


	ch->GetDesc()->Packet(buf.read_peek(), buf.size());

 

After following these steps, you should have overcome this problem in the ShopEx system. If you have any problems, please leave a comment.

Kind regards,

Luigina

Edited January 17 by Metin2 Dev International
Core X - External 2 Internal

[Amun 1824]

That picture says that you're calling AddGuest on a null pointer, which is why you're getting the crash.

 

Update: Ok, yeah, I think you're right(also using the TEMP_BUFFER is much better than ballparking the size of your buffers). Been too tired when writing this, don't mind my ass

Edited January 20 by Amun

[Luigina 16]

2 hours ago, Amun said:

That picture says that you're calling AddGuest on a null pointer, which is why you're getting the crash.

There isn't any way to null pointer. I just click to npc and got crash.
Did you see the size on crash ?

I did that change and my problem solved.

King regards !

[CONTROL 5]

I remember I ran into this 4 years ago or something, and I just threw a *4 after the number 8096 and looked away
But this seems more efficient thx < 3

Edited January 20 by CONTROL

[FALLEN1 1]

What did you mean with 
TEMP_BUFFER buf(16 * 1024);? I mean, why 16 * 1024?
And in this case:
char temp[8096 * SHOP_TAB_COUNT_MAX];
I should put 16 * 1024 or should increase?

[Luigina 16]

On 1/24/2024 at 10:54 PM, FALLEN1 said:

What did you mean with 
TEMP_BUFFER buf(16 * 1024);? I mean, why 16 * 1024?
And in this case:
char temp[8096 * SHOP_TAB_COUNT_MAX];
I should put 16 * 1024 or should increase?

You can change like that 

TEMP_BUFFER buf(8 * 1024 * SHOP_TAB_COUNT_MAX);