fix(Core/MailHandler): Prevent client crash while receiving a malformed mail (#3223)

* Fix an issue in the MailHandler that let you crash the users client.
2026-01-13 01:08:35 +00:00 · 2020-07-28 11:02:09 +02:00
parent a37fa5307c
commit fdb84742d1
1 changed files with 22 additions and 5 deletions
--- a/src/server/game/Handlers/MailHandler.cpp
+++ b/src/server/game/Handlers/MailHandler.cpp
@@ -52,11 +52,17 @@ void WorldSession::HandleSendMail(WorldPacket & recvData)
    std::string receiver, subject, body;
    uint32 unk1, unk2, money, COD;
    uint8 unk4;
+
    recvData >> mailbox;
    recvData >> receiver;

    recvData >> subject;

+    // prevent client crash
+    if (subject.find("| |") != std::string::npos || body.find("| |") != std::string::npos) {
+        return;
+    }
+
    recvData >> body;

    recvData >> unk1;                                      // stationery?
@@ -630,6 +636,17 @@ void WorldSession::HandleGetMailList(WorldPacket & recvData)
                break;
        }

+        // prevent client crash
+        std::string subject = (*itr)->subject;
+        std::string body = (*itr)->body;
+
+        if (subject.find("| |") != std::string::npos) {
+            subject = "";
+        }
+        if (body.find("| |") != std::string::npos) {
+            body = "";
+        }
+
        data << uint32((*itr)->COD);                         // COD
        data << uint32(0);                                   // probably changed in 3.3.3
        data << uint32((*itr)->stationery);                  // stationery (Stationery.dbc)
@@ -637,8 +654,8 @@ void WorldSession::HandleGetMailList(WorldPacket & recvData)
        data << uint32((*itr)->checked);                     // flags
        data << float(float((*itr)->expire_time-time(NULL))/DAY); // Time
        data << uint32((*itr)->mailTemplateId);              // mail template (MailTemplate.dbc)
-        data << (*itr)->subject;                             // Subject string - once 00, when mail type = 3, max 256
-        data << (*itr)->body;                                // message? max 8000
+        data << subject;                                     // Subject string - once 00, when mail type = 3, max 256
+        data << body;                                        // message? max 8000
        data << uint8(item_count);                           // client limit is 0x10

        for (uint8 i = 0; i < item_count; ++i)