From 2723644d8caf1d4de85c2846b895801d0c22a83b Mon Sep 17 00:00:00 2001
From: MobiusDevelopment <8391001+MobiusDevelopment@users.noreply.github.com>
Date: Wed, 16 Sep 2020 11:28:08 +0000
Subject: [PATCH] RequestBuyItem exploit prevention. Contributed by G-hamsteR.

---
 .../network/clientpackets/RequestBuyItem.java | 19 +++++++++++++++----
 .../network/clientpackets/RequestBuyItem.java | 19 +++++++++++++++----
 2 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/L2J_Mobius_C4_ScionsOfDestiny/java/org/l2jmobius/gameserver/network/clientpackets/RequestBuyItem.java b/L2J_Mobius_C4_ScionsOfDestiny/java/org/l2jmobius/gameserver/network/clientpackets/RequestBuyItem.java
index bc366d43b9..a465af43c3 100644
--- a/L2J_Mobius_C4_ScionsOfDestiny/java/org/l2jmobius/gameserver/network/clientpackets/RequestBuyItem.java
+++ b/L2J_Mobius_C4_ScionsOfDestiny/java/org/l2jmobius/gameserver/network/clientpackets/RequestBuyItem.java
@@ -67,15 +67,26 @@ public class RequestBuyItem extends GameClientPacket
 		for (int i = 0; i < _count; i++)
 		{
 			final int itemId = readD();
-			_items[(i * 2) + 0] = itemId;
-			final long cnt = readD();
-			if ((cnt > Integer.MAX_VALUE) || (cnt < 0))
+			if (itemId < 1)
 			{
 				_count = 0;
 				return;
 			}
+			_items[(i * 2) + 0] = itemId;
 			
-			_items[(i * 2) + 1] = (int) cnt;
+			final int count = readD();
+			if ((count > Integer.MAX_VALUE) || (count < 1))
+			{
+				_count = 0;
+				return;
+			}
+			if (count > 10000) // Count check.
+			{
+				getClient().getPlayer().sendMessage("You cannot buy more than 10.000 items.");
+				_count = 0;
+				return;
+			}
+			_items[(i * 2) + 1] = count;
 		}
 	}
 	
diff --git a/L2J_Mobius_C6_Interlude/java/org/l2jmobius/gameserver/network/clientpackets/RequestBuyItem.java b/L2J_Mobius_C6_Interlude/java/org/l2jmobius/gameserver/network/clientpackets/RequestBuyItem.java
index bc366d43b9..a465af43c3 100644
--- a/L2J_Mobius_C6_Interlude/java/org/l2jmobius/gameserver/network/clientpackets/RequestBuyItem.java
+++ b/L2J_Mobius_C6_Interlude/java/org/l2jmobius/gameserver/network/clientpackets/RequestBuyItem.java
@@ -67,15 +67,26 @@ public class RequestBuyItem extends GameClientPacket
 		for (int i = 0; i < _count; i++)
 		{
 			final int itemId = readD();
-			_items[(i * 2) + 0] = itemId;
-			final long cnt = readD();
-			if ((cnt > Integer.MAX_VALUE) || (cnt < 0))
+			if (itemId < 1)
 			{
 				_count = 0;
 				return;
 			}
+			_items[(i * 2) + 0] = itemId;
 			
-			_items[(i * 2) + 1] = (int) cnt;
+			final int count = readD();
+			if ((count > Integer.MAX_VALUE) || (count < 1))
+			{
+				_count = 0;
+				return;
+			}
+			if (count > 10000) // Count check.
+			{
+				getClient().getPlayer().sendMessage("You cannot buy more than 10.000 items.");
+				_count = 0;
+				return;
+			}
+			_items[(i * 2) + 1] = count;
 		}
 	}