Guest User

Multisell exploit - aCis

a guest
Jul 28th, 2018
311
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. diff --git a/aCis_gameserver/java/net/sf/l2j/gameserver/model/tradelist/TradeList.java b/aCis_gameserver/java/net/sf/l2j/gameserver/model/tradelist/TradeList.java
  2. index 805345e..2656768 100644
  3. --- a/aCis_gameserver/java/net/sf/l2j/gameserver/model/tradelist/TradeList.java
  4. +++ b/aCis_gameserver/java/net/sf/l2j/gameserver/model/tradelist/TradeList.java
  5. @@ -563,8 +563,8 @@ public class TradeList
  6.             return 1;
  7.        
  8.         int slots = 0;
  9. -       int weight = 0;
  10. -       int totalPrice = 0;
  11. +       long weight = 0;
  12. +       long totalPrice = 0;
  13.        
  14.         final PcInventory ownerInventory = _owner.getInventory();
  15.         final PcInventory playerInventory = player.getInventory();
  16. @@ -599,17 +599,9 @@ public class TradeList
  17.                 continue;
  18.             }
  19.            
  20. -           // check for overflow in the single item
  21. -           if ((Integer.MAX_VALUE / item.getCount()) < item.getPrice())
  22. -           {
  23. -               // private store attempting to overflow - disable it
  24. -               lock();
  25. -               return 1;
  26. -           }
  27. -          
  28. -           totalPrice += item.getCount() * item.getPrice();
  29. -           // check for overflow of the total price
  30. -           if (Integer.MAX_VALUE < totalPrice || totalPrice < 0)
  31. +           totalPrice += (long)item.getCount() * item.getPrice();
  32. +           // Check for overflow
  33. +           if (Integer.MAX_VALUE / item.getCount() < item.getPrice() || totalPrice > Integer.MAX_VALUE || totalPrice < 0)
  34.             {
  35.                 // private store attempting to overflow - disable it
  36.                 lock();
  37. @@ -628,7 +620,7 @@ public class TradeList
  38.             Item template = ItemTable.getInstance().getTemplate(item.getItemId());
  39.             if (template == null)
  40.                 continue;
  41. -           weight += item.getCount() * template.getWeight();
  42. +           weight += (long)item.getCount() * template.getWeight();
  43.             if (!template.isStackable())
  44.                 slots += item.getCount();
  45.             else if (playerInventory.getItemByItemId(item.getItemId()) == null)
  46. @@ -641,15 +633,15 @@ public class TradeList
  47.             return 1;
  48.         }
  49.        
  50. -       if (!playerInventory.validateWeight(weight))
  51. +       if (!playerInventory.validateCapacity(slots))
  52.         {
  53. -           player.sendPacket(SystemMessageId.WEIGHT_LIMIT_EXCEEDED);
  54. +           player.sendPacket(SystemMessageId.SLOTS_FULL);
  55.             return 1;
  56.         }
  57.        
  58. -       if (!playerInventory.validateCapacity(slots))
  59. +       if (weight > Integer.MAX_VALUE || weight < 0 || !playerInventory.validateWeight((int)weight))
  60.         {
  61. -           player.sendPacket(SystemMessageId.SLOTS_FULL);
  62. +           player.sendPacket(SystemMessageId.WEIGHT_LIMIT_EXCEEDED);
  63.             return 1;
  64.         }
  65.        
  66. @@ -658,14 +650,14 @@ public class TradeList
  67.         final InventoryUpdate playerIU = new InventoryUpdate();
  68.        
  69.         final ItemInstance adenaItem = playerInventory.getAdenaInstance();
  70. -       if (!playerInventory.reduceAdena("PrivateStore", totalPrice, player, _owner))
  71. +       if (totalPrice < 0 || !playerInventory.reduceAdena("PrivateStore", (int)totalPrice, player, _owner))
  72.         {
  73.             player.sendPacket(SystemMessageId.YOU_NOT_ENOUGH_ADENA);
  74.             return 1;
  75.         }
  76.        
  77.         playerIU.addItem(adenaItem);
  78. -       ownerInventory.addAdena("PrivateStore", totalPrice, _owner, player);
  79. +       ownerInventory.addAdena("PrivateStore", (int)totalPrice, _owner, player);
  80.        
  81.         boolean ok = true;
  82.        
  83. @@ -792,16 +784,9 @@ public class TradeList
  84.             if (!found)
  85.                 continue;
  86.            
  87. -           // check for overflow in the single item
  88. -           if ((Integer.MAX_VALUE / item.getCount()) < item.getPrice())
  89. -           {
  90. -               lock();
  91. -               break;
  92. -           }
  93. -          
  94. -           int _totalPrice = totalPrice + item.getCount() * item.getPrice();
  95. -           // check for overflow of the total price
  96. -           if (Integer.MAX_VALUE < _totalPrice || _totalPrice < 0)
  97. +           long _totalPrice = totalPrice + (long)item.getCount() * item.getPrice();
  98. +           // check for overflow
  99. +           if (Integer.MAX_VALUE / item.getCount() < item.getPrice() || _totalPrice > Integer.MAX_VALUE || _totalPrice < 0)
  100.             {
  101.                 lock();
  102.                 break;
  103. @@ -844,7 +829,7 @@ public class TradeList
  104.             ok = true;
  105.            
  106.             // increase total price only after successful transaction
  107. -           totalPrice = _totalPrice;
  108. +           totalPrice = (int)_totalPrice;
  109.            
  110.             // Add changes to inventory update packets
  111.             if (oldItem.getCount() > 0 && oldItem != newItem)
  112. diff --git a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/MultiSellChoose.java b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/MultiSellChoose.java
  113. index 8780de4..df4a463 100644
  114. --- a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/MultiSellChoose.java
  115. +++ b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/MultiSellChoose.java
  116. @@ -105,7 +105,7 @@ public class MultiSellChoose extends L2GameClientPacket
  117.                 }
  118.                
  119.                 int slots = 0;
  120. -               int weight = 0;
  121. +               long weight = 0;
  122.                 for (Ingredient e : entry.getProducts())
  123.                 {
  124.                     if (e.getItemId() < 0)
  125. @@ -116,18 +116,18 @@ public class MultiSellChoose extends L2GameClientPacket
  126.                     else if (player.getInventory().getItemByItemId(e.getItemId()) == null)
  127.                         slots++;
  128.                    
  129. -                   weight += e.getItemCount() * _amount * e.getWeight();
  130. +                   weight += (long)e.getItemCount() * _amount * e.getWeight();
  131.                 }
  132.                
  133. -               if (!inv.validateWeight(weight))
  134. +               if (!inv.validateCapacity(slots))
  135.                 {
  136. -                   player.sendPacket(SystemMessageId.WEIGHT_LIMIT_EXCEEDED);
  137. +                   player.sendPacket(SystemMessageId.SLOTS_FULL);
  138.                     return;
  139.                 }
  140.                
  141. -               if (!inv.validateCapacity(slots))
  142. +               if (weight > Integer.MAX_VALUE || weight < 0 || !inv.validateWeight((int)weight))
  143.                 {
  144. -                   player.sendPacket(SystemMessageId.SLOTS_FULL);
  145. +                   player.sendPacket(SystemMessageId.WEIGHT_LIMIT_EXCEEDED);
  146.                     return;
  147.                 }
  148.                
  149. @@ -149,7 +149,8 @@ public class MultiSellChoose extends L2GameClientPacket
  150.                         // this happens if 1 list entry has the same ingredient twice (example 2 swords = 1 dual)
  151.                         if (ex.getItemId() == e.getItemId() && ex.getEnchantLevel() == e.getEnchantLevel())
  152.                         {
  153. -                           if (ex.getItemCount() + e.getItemCount() > Integer.MAX_VALUE)
  154. +                           long totalCount = (long)ex.getItemCount() + e.getItemCount();
  155. +                           if (totalCount > Integer.MAX_VALUE || totalCount < 0)
  156.                             {
  157.                                 player.sendPacket(SystemMessageId.YOU_HAVE_EXCEEDED_QUANTITY_THAT_CAN_BE_INPUTTED);
  158.                                 return;
  159. @@ -157,7 +158,7 @@ public class MultiSellChoose extends L2GameClientPacket
  160.                            
  161.                             // two same ingredients, merge into one and replace old
  162.                             final Ingredient ing = ex.getCopy();
  163. -                           ing.setItemCount(ex.getItemCount() + e.getItemCount());
  164. +                           ing.setItemCount((int)totalCount);
  165.                             ingredientsList.set(i, ing);
  166.                            
  167.                             newIng = false;
  168. @@ -173,7 +174,7 @@ public class MultiSellChoose extends L2GameClientPacket
  169.                 // now check if the player has sufficient items in the inventory to cover the ingredients' expences
  170.                 for (Ingredient e : ingredientsList)
  171.                 {
  172. -                   if (e.getItemCount() * _amount > Integer.MAX_VALUE)
  173. +                   if (Integer.MAX_VALUE / e.getItemCount() < _amount)
  174.                     {
  175.                         player.sendPacket(SystemMessageId.YOU_HAVE_EXCEEDED_QUANTITY_THAT_CAN_BE_INPUTTED);
  176.                         return;
  177. @@ -203,7 +204,7 @@ public class MultiSellChoose extends L2GameClientPacket
  178.                     {
  179.                         // if this is not a list that maintains enchantment, check the count of all items that have the given id.
  180.                         // otherwise, check only the count of items with exactly the needed enchantment level
  181. -                       if (inv.getInventoryItemCount(e.getItemId(), list.getMaintainEnchantment() ? e.getEnchantLevel() : -1, false) < ((Config.ALT_BLACKSMITH_USE_RECIPES || !e.getMaintainIngredient()) ? (e.getItemCount() * _amount) : e.getItemCount()))
  182. +                       if (inv.getInventoryItemCount(e.getItemId(), list.getMaintainEnchantment() ? e.getEnchantLevel() : -1, false) < ((Config.ALT_BLACKSMITH_USE_RECIPES || !e.getMaintainIngredient()) ? e.getItemCount() * _amount : e.getItemCount()))
  183.                         {
  184.                             player.sendPacket(SystemMessageId.NOT_ENOUGH_ITEMS);
  185.                             return;
  186. diff --git a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestBuyItem.java b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestBuyItem.java
  187. index e13baba..fba561b 100644
  188. --- a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestBuyItem.java
  189. +++ b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestBuyItem.java
  190. @@ -42,6 +42,7 @@ public final class RequestBuyItem extends L2GameClientPacket
  191.     protected void readImpl()
  192.     {
  193.         _listId = readD();
  194. +      
  195.         int count = readD();
  196.         if (count <= 0 || count > Config.MAX_ITEM_IN_PACKET || count * BATCH_LENGTH != _buf.remaining())
  197.             return;
  198. @@ -98,9 +99,9 @@ public final class RequestBuyItem extends L2GameClientPacket
  199.                 castleTaxRate = merchant.getCastle().getTaxRate();
  200.         }
  201.        
  202. -       int subTotal = 0;
  203. +       long totalPrice = 0;
  204.         int slots = 0;
  205. -       int weight = 0;
  206. +       long weight = 0;
  207.        
  208.         for (IntIntHolder i : _items)
  209.         {
  210. @@ -140,43 +141,37 @@ public final class RequestBuyItem extends L2GameClientPacket
  211.                     return;
  212.             }
  213.            
  214. -           if ((Integer.MAX_VALUE / i.getValue()) < price)
  215. -           {
  216. -               Util.handleIllegalPlayerAction(player, player.getName() + " of account " + player.getAccountName() + " tried to purchase over " + Integer.MAX_VALUE + " adena worth of goods.", Config.DEFAULT_PUNISH);
  217. -               return;
  218. -           }
  219. -          
  220.             // first calculate price per item with tax, then multiply by count
  221.             price = (int) (price * (1 + castleTaxRate));
  222. -           subTotal += i.getValue() * price;
  223. -          
  224. -           if (subTotal > Integer.MAX_VALUE)
  225. +           totalPrice += (long)i.getValue() * price;
  226. +           // Check for overflow
  227. +           if (Integer.MAX_VALUE / i.getValue() < price || totalPrice > Integer.MAX_VALUE || totalPrice < 0)
  228.             {
  229.                 Util.handleIllegalPlayerAction(player, player.getName() + " of account " + player.getAccountName() + " tried to purchase over " + Integer.MAX_VALUE + " adena worth of goods.", Config.DEFAULT_PUNISH);
  230.                 return;
  231.             }
  232.            
  233. -           weight += i.getValue() * product.getItem().getWeight();
  234. +           weight += (long)i.getValue() * product.getItem().getWeight();
  235.             if (!product.getItem().isStackable())
  236.                 slots += i.getValue();
  237.             else if (player.getInventory().getItemByItemId(i.getId()) == null)
  238.                 slots++;
  239.         }
  240.        
  241. -       if (weight > Integer.MAX_VALUE || weight < 0 || !player.getInventory().validateWeight(weight))
  242. +       if (!player.getInventory().validateCapacity(slots))
  243.         {
  244. -           sendPacket(SystemMessage.getSystemMessage(SystemMessageId.WEIGHT_LIMIT_EXCEEDED));
  245. +           sendPacket(SystemMessage.getSystemMessage(SystemMessageId.SLOTS_FULL));
  246.             return;
  247.         }
  248.        
  249. -       if (slots > Integer.MAX_VALUE || slots < 0 || !player.getInventory().validateCapacity(slots))
  250. +       if (weight > Integer.MAX_VALUE || weight < 0 || !player.getInventory().validateWeight((int)weight))
  251.         {
  252. -           sendPacket(SystemMessage.getSystemMessage(SystemMessageId.SLOTS_FULL));
  253. +           sendPacket(SystemMessage.getSystemMessage(SystemMessageId.WEIGHT_LIMIT_EXCEEDED));
  254.             return;
  255.         }
  256.        
  257.         // Charge buyer and add tax to castle treasury if not owned by npc clan
  258. -       if (subTotal < 0 || !player.reduceAdena("Buy", subTotal, player.getCurrentFolkNPC(), false))
  259. +       if (!player.reduceAdena("Buy", (int)totalPrice, player.getCurrentFolkNPC(), false))
  260.         {
  261.             sendPacket(SystemMessage.getSystemMessage(SystemMessageId.YOU_NOT_ENOUGH_ADENA));
  262.             return;
  263. @@ -203,7 +198,7 @@ public final class RequestBuyItem extends L2GameClientPacket
  264.        
  265.         // add to castle treasury
  266.         if (merchant instanceof L2MerchantInstance)
  267. -           ((L2MerchantInstance) merchant).getCastle().addToTreasury((int) (subTotal * castleTaxRate));
  268. +           ((L2MerchantInstance) merchant).getCastle().addToTreasury((int) (totalPrice * castleTaxRate));
  269.        
  270.         StatusUpdate su = new StatusUpdate(player);
  271.         su.addAttribute(StatusUpdate.CUR_LOAD, player.getCurrentLoad());
  272. diff --git a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestBuyProcure.java b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestBuyProcure.java
  273. index 74192a1..f94e2c5 100644
  274. --- a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestBuyProcure.java
  275. +++ b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestBuyProcure.java
  276. @@ -91,14 +91,14 @@ public class RequestBuyProcure extends L2GameClientPacket
  277.        
  278.         Castle castle = ((L2ManorManagerInstance) manager).getCastle();
  279.         int slots = 0;
  280. -       int weight = 0;
  281. +       long weight = 0;
  282.        
  283.         for (Procure i : _items)
  284.         {
  285.             i.setReward(castle);
  286.            
  287.             Item template = ItemTable.getInstance().getTemplate(i.getReward());
  288. -           weight += i.getCount() * template.getWeight();
  289. +           weight += (long)i.getCount() * template.getWeight();
  290.            
  291.             if (!template.isStackable())
  292.                 slots += i.getCount();
  293. @@ -106,15 +106,15 @@ public class RequestBuyProcure extends L2GameClientPacket
  294.                 slots++;
  295.         }
  296.        
  297. -       if (!player.getInventory().validateWeight(weight))
  298. +       if (!player.getInventory().validateCapacity(slots))
  299.         {
  300. -           sendPacket(SystemMessage.getSystemMessage(SystemMessageId.WEIGHT_LIMIT_EXCEEDED));
  301. +           sendPacket(SystemMessage.getSystemMessage(SystemMessageId.SLOTS_FULL));
  302.             return;
  303.         }
  304.        
  305. -       if (!player.getInventory().validateCapacity(slots))
  306. +       if (weight > Integer.MAX_VALUE || weight < 0 || !player.getInventory().validateWeight((int)weight))
  307.         {
  308. -           sendPacket(SystemMessage.getSystemMessage(SystemMessageId.SLOTS_FULL));
  309. +           sendPacket(SystemMessage.getSystemMessage(SystemMessageId.WEIGHT_LIMIT_EXCEEDED));
  310.             return;
  311.         }
  312.        
  313. diff --git a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestBuySeed.java b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestBuySeed.java
  314. index 6edc5d6..9147a25 100644
  315. --- a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestBuySeed.java
  316. +++ b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestBuySeed.java
  317. @@ -86,9 +86,9 @@ public class RequestBuySeed extends L2GameClientPacket
  318.         if (!player.isInsideRadius(manager, INTERACTION_DISTANCE, true, false))
  319.             return;
  320.        
  321. -       int totalPrice = 0;
  322. +       long totalPrice = 0;
  323.         int slots = 0;
  324. -       int totalWeight = 0;
  325. +       long weight = 0;
  326.        
  327.         Castle castle = CastleManager.getInstance().getCastleById(_manorId);
  328.        
  329. @@ -98,35 +98,35 @@ public class RequestBuySeed extends L2GameClientPacket
  330.                 return;
  331.            
  332.             totalPrice += i.getPrice();
  333. -          
  334. -           if (totalPrice > Integer.MAX_VALUE)
  335. +           // Check for overflow
  336. +           if (totalPrice > Integer.MAX_VALUE || totalPrice < 0)
  337.             {
  338.                 Util.handleIllegalPlayerAction(player, player.getName() + " of account " + player.getAccountName() + " tried to purchase over " + Integer.MAX_VALUE + " adena worth of goods.", Config.DEFAULT_PUNISH);
  339.                 return;
  340.             }
  341.            
  342.             Item template = ItemTable.getInstance().getTemplate(i.getSeedId());
  343. -           totalWeight += i.getCount() * template.getWeight();
  344. +           weight += (long)i.getCount() * template.getWeight();
  345.             if (!template.isStackable())
  346.                 slots += i.getCount();
  347.             else if (player.getInventory().getItemByItemId(i.getSeedId()) == null)
  348.                 slots++;
  349.         }
  350.        
  351. -       if (!player.getInventory().validateWeight(totalWeight))
  352. +       if (!player.getInventory().validateCapacity(slots))
  353.         {
  354. -           sendPacket(SystemMessage.getSystemMessage(SystemMessageId.WEIGHT_LIMIT_EXCEEDED));
  355. +           sendPacket(SystemMessage.getSystemMessage(SystemMessageId.SLOTS_FULL));
  356.             return;
  357.         }
  358.        
  359. -       if (!player.getInventory().validateCapacity(slots))
  360. +       if (weight > Integer.MAX_VALUE || weight < 0 || !player.getInventory().validateWeight((int)weight))
  361.         {
  362. -           sendPacket(SystemMessage.getSystemMessage(SystemMessageId.SLOTS_FULL));
  363. +           sendPacket(SystemMessage.getSystemMessage(SystemMessageId.WEIGHT_LIMIT_EXCEEDED));
  364.             return;
  365.         }
  366.        
  367.         // test adena
  368. -       if (totalPrice < 0 || player.getAdena() < totalPrice)
  369. +       if (player.getAdena() < totalPrice)
  370.         {
  371.             sendPacket(SystemMessage.getSystemMessage(SystemMessageId.YOU_NOT_ENOUGH_ADENA));
  372.             return;
  373. @@ -151,7 +151,7 @@ public class RequestBuySeed extends L2GameClientPacket
  374.         if (totalPrice > 0)
  375.         {
  376.             castle.addToTreasuryNoTax(totalPrice);
  377. -           player.sendPacket(SystemMessage.getSystemMessage(SystemMessageId.S1_DISAPPEARED_ADENA).addItemNumber(totalPrice));
  378. +           player.sendPacket(SystemMessage.getSystemMessage(SystemMessageId.S1_DISAPPEARED_ADENA).addItemNumber((int)totalPrice));
  379.         }
  380.     }
  381.    
  382. diff --git a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestPreviewItem.java b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestPreviewItem.java
  383. index 3920fd6..ac881c5 100644
  384. --- a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestPreviewItem.java
  385. +++ b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestPreviewItem.java
  386. @@ -130,7 +130,7 @@ public final class RequestPreviewItem extends L2GameClientPacket
  387.             return;
  388.         }
  389.        
  390. -       int totalPrice = 0;
  391. +       long totalPrice = 0;
  392.         _listId = buyList.getListId();
  393.         _itemList = new HashMap<>();
  394.        
  395. @@ -161,7 +161,8 @@ public final class RequestPreviewItem extends L2GameClientPacket
  396.             _itemList.put(slot, itemId);
  397.            
  398.             totalPrice += Config.WEAR_PRICE;
  399. -           if (totalPrice > Integer.MAX_VALUE)
  400. +           // Check for overflow
  401. +           if (totalPrice > Integer.MAX_VALUE || totalPrice < 0)
  402.             {
  403.                 Util.handleIllegalPlayerAction(activeChar, activeChar.getName() + " of account " + activeChar.getAccountName() + " tried to purchase over " + Integer.MAX_VALUE + " adena worth of goods.", Config.DEFAULT_PUNISH);
  404.                 return;
  405. @@ -169,7 +170,7 @@ public final class RequestPreviewItem extends L2GameClientPacket
  406.         }
  407.        
  408.         // Charge buyer and add tax to castle treasury if not owned by npc clan because a Try On is not Free
  409. -       if (totalPrice < 0 || !activeChar.reduceAdena("Wear", totalPrice, activeChar.getCurrentFolkNPC(), true))
  410. +       if (!activeChar.reduceAdena("Wear", (int)totalPrice, activeChar.getCurrentFolkNPC(), true))
  411.         {
  412.             activeChar.sendPacket(SystemMessageId.YOU_NOT_ENOUGH_ADENA);
  413.             return;
  414. diff --git a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestProcureCropList.java b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestProcureCropList.java
  415. index 50f7b71..ec81897 100644
  416. --- a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestProcureCropList.java
  417. +++ b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestProcureCropList.java
  418. @@ -79,7 +79,7 @@ public class RequestProcureCropList extends L2GameClientPacket
  419.        
  420.         // Calculate summary values
  421.         int slots = 0;
  422. -       int weight = 0;
  423. +       long weight = 0;
  424.        
  425.         for (Crop i : _items)
  426.         {
  427. @@ -87,7 +87,7 @@ public class RequestProcureCropList extends L2GameClientPacket
  428.                 continue;
  429.            
  430.             Item template = ItemTable.getInstance().getTemplate(i.getReward());
  431. -           weight += i.getCount() * template.getWeight();
  432. +           weight += (long)i.getCount() * template.getWeight();
  433.            
  434.             if (!template.isStackable())
  435.                 slots += i.getCount();
  436. @@ -95,15 +95,15 @@ public class RequestProcureCropList extends L2GameClientPacket
  437.                 slots++;
  438.         }
  439.        
  440. -       if (!player.getInventory().validateWeight(weight))
  441. +       if (!player.getInventory().validateCapacity(slots))
  442.         {
  443. -           sendPacket(SystemMessage.getSystemMessage(SystemMessageId.WEIGHT_LIMIT_EXCEEDED));
  444. +           sendPacket(SystemMessage.getSystemMessage(SystemMessageId.SLOTS_FULL));
  445.             return;
  446.         }
  447.        
  448. -       if (!player.getInventory().validateCapacity(slots))
  449. +       if (weight > Integer.MAX_VALUE || weight < 0 || !player.getInventory().validateWeight((int)weight))
  450.         {
  451. -           sendPacket(SystemMessage.getSystemMessage(SystemMessageId.SLOTS_FULL));
  452. +           sendPacket(SystemMessage.getSystemMessage(SystemMessageId.WEIGHT_LIMIT_EXCEEDED));
  453.             return;
  454.         }
  455.        
  456. diff --git a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestSellItem.java b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestSellItem.java
  457. index e09ef3c..9eb7132 100644
  458. --- a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestSellItem.java
  459. +++ b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/RequestSellItem.java
  460. @@ -90,7 +90,7 @@ public final class RequestSellItem extends L2GameClientPacket
  461.                 return;
  462.         }
  463.        
  464. -       int totalPrice = 0;
  465. +       long totalPrice = 0;
  466.         // Proceed the sell
  467.         for (IntIntHolder i : _items)
  468.         {
  469. @@ -99,8 +99,9 @@ public final class RequestSellItem extends L2GameClientPacket
  470.                 continue;
  471.            
  472.             int price = item.getReferencePrice() / 2;
  473. -           totalPrice += price * i.getValue();
  474. -           if ((Integer.MAX_VALUE / i.getValue()) < price || totalPrice > Integer.MAX_VALUE)
  475. +           totalPrice += (long)price * i.getValue();
  476. +           // Check for overflow
  477. +           if ((Integer.MAX_VALUE / i.getValue()) < price || totalPrice > Integer.MAX_VALUE || totalPrice < 0)
  478.             {
  479.                 Util.handleIllegalPlayerAction(player, player.getName() + " of account " + player.getAccountName() + " tried to purchase over " + Integer.MAX_VALUE + " adena worth of goods.", Config.DEFAULT_PUNISH);
  480.                 return;
  481. @@ -108,7 +109,7 @@ public final class RequestSellItem extends L2GameClientPacket
  482.             item = player.getInventory().destroyItem("Sell", i.getId(), i.getValue(), player, merchant);
  483.         }
  484.        
  485. -       player.addAdena("Sell", totalPrice, merchant, false);
  486. +       player.addAdena("Sell", (int)totalPrice, merchant, false);
  487.        
  488.         // Send the htm, if existing.
  489.         String htmlFolder = "";
  490. diff --git a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/SendWarehouseWithdrawList.java b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/SendWarehouseWithdrawList.java
  491. index 324335c..4016531 100644
  492. --- a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/SendWarehouseWithdrawList.java
  493. +++ b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/SendWarehouseWithdrawList.java
  494. @@ -114,8 +114,8 @@ public final class SendWarehouseWithdrawList extends L2GameClientPacket
  495.             }
  496.         }
  497.        
  498. -       int weight = 0;
  499.         int slots = 0;
  500. +       long weight = 0;
  501.        
  502.         for (IntIntHolder i : _items)
  503.         {
  504. @@ -127,7 +127,7 @@ public final class SendWarehouseWithdrawList extends L2GameClientPacket
  505.                 return;
  506.             }
  507.            
  508. -           weight += i.getValue() * item.getItem().getWeight();
  509. +           weight += (long)i.getValue() * item.getItem().getWeight();
  510.            
  511.             if (!item.isStackable())
  512.                 slots += i.getValue();
  513. @@ -143,7 +143,7 @@ public final class SendWarehouseWithdrawList extends L2GameClientPacket
  514.         }
  515.        
  516.         // Weight limit Check
  517. -       if (!player.getInventory().validateWeight(weight))
  518. +       if (weight > Integer.MAX_VALUE || weight < 0 || !player.getInventory().validateWeight((int)weight))
  519.         {
  520.             sendPacket(SystemMessage.getSystemMessage(SystemMessageId.WEIGHT_LIMIT_EXCEEDED));
  521.             return;
  522. diff --git a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/SetPrivateStoreListBuy.java b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/SetPrivateStoreListBuy.java
  523. index 3010659..b1468a5 100644
  524. --- a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/SetPrivateStoreListBuy.java
  525. +++ b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/SetPrivateStoreListBuy.java
  526. @@ -101,7 +101,7 @@ public final class SetPrivateStoreListBuy extends L2GameClientPacket
  527.             return;
  528.         }
  529.        
  530. -       int totalCost = 0;
  531. +       long totalCost = 0;
  532.         for (Item i : _items)
  533.         {
  534.             if (!i.addToTradeList(tradeList))
  535. @@ -112,7 +112,7 @@ public final class SetPrivateStoreListBuy extends L2GameClientPacket
  536.             }
  537.            
  538.             totalCost += i.getCost();
  539. -           if (totalCost > Integer.MAX_VALUE)
  540. +           if (totalCost > Integer.MAX_VALUE || totalCost < 0)
  541.             {
  542.                 player.sendPacket(SystemMessageId.EXCEEDED_THE_MAXIMUM);
  543.                 player.sendPacket(new PrivateStoreManageListBuy(player));
  544. diff --git a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/SetPrivateStoreListSell.java b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/SetPrivateStoreListSell.java
  545. index eb5500f..29d9768 100644
  546. --- a/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/SetPrivateStoreListSell.java
  547. +++ b/aCis_gameserver/java/net/sf/l2j/gameserver/network/clientpackets/SetPrivateStoreListSell.java
  548. @@ -103,7 +103,7 @@ public final class SetPrivateStoreListSell extends L2GameClientPacket
  549.         tradeList.clear();
  550.         tradeList.setPackaged(_packageSale);
  551.        
  552. -       int totalCost = player.getAdena();
  553. +       long totalCost = player.getAdena();
  554.         for (Item i : _items)
  555.         {
  556.             if (!i.addToTradeList(tradeList))
  557. @@ -114,7 +114,7 @@ public final class SetPrivateStoreListSell extends L2GameClientPacket
  558.             }
  559.            
  560.             totalCost += i.getPrice();
  561. -           if (totalCost > Integer.MAX_VALUE)
  562. +           if (totalCost > Integer.MAX_VALUE || totalCost < 0)
  563.             {
  564.                 player.sendPacket(SystemMessageId.EXCEEDED_THE_MAXIMUM);
  565.                 player.sendPacket(new PrivateStoreManageListSell(player, _packageSale));
RAW Paste Data