diff options
| author | Kitty Barnett <develop@catznip.com> | 2017-10-12 22:55:15 +0200 |
|---|---|---|
| committer | Kitty Barnett <develop@catznip.com> | 2017-10-12 22:55:15 +0200 |
| commit | 18fa2e6471fe25036341f0375a2f4d4887c8c378 (patch) | |
| tree | 97521e311a7da38d0c90ba72955fd33f55a58a4c | |
| parent | 5a7b36d506c8fab720c466a8dff2e3fc79a14390 (diff) | |
MAINT-7081 [FIXED] Access (write) violation / buffer overrun in LLTextureFetchWorker::doWork()
The trouble lines are:
U8 * buffer = (U8 *) ALLOCATE_MEM(LLImageBase::getPrivatePool(), total_size);
if (cur_size > 0)
{
memcpy(buffer, mFormattedImage->getData(), cur_size);
}
If 'cur_size > mHttpReplyOffset + append_size' then 'total_size -= src_offset' will cause
total_size to be smaller than cur_size causing a write access violation on the memcpy.
Since the response is invalid it seemed best to make it follow the other failed partial condition.
(transplanted from 737e28ec6b4d74f3ff915a4effc13d7b615a6a9b)
| -rwxr-xr-x | doc/contributions.txt | 1 | ||||
| -rw-r--r-- | indra/newview/lltexturefetch.cpp | 2 |
2 files changed, 2 insertions, 1 deletions
diff --git a/doc/contributions.txt b/doc/contributions.txt index dabae001a3..5307c5345c 100755 --- a/doc/contributions.txt +++ b/doc/contributions.txt @@ -825,6 +825,7 @@ Kitty Barnett MAINT-6568 STORM-2149 MAINT-7581 + MAINT-7081 Kolor Fall Komiko Okamoto Korvel Noh diff --git a/indra/newview/lltexturefetch.cpp b/indra/newview/lltexturefetch.cpp index 1085b15976..f917faadd4 100644 --- a/indra/newview/lltexturefetch.cpp +++ b/indra/newview/lltexturefetch.cpp @@ -1746,7 +1746,7 @@ bool LLTextureFetchWorker::doWork(S32 param) // In case of a partial response, our offset may // not be trivially contiguous with the data we have. // Get back into alignment. - if (mHttpReplyOffset > cur_size) + if ( (mHttpReplyOffset > cur_size) || (cur_size > mHttpReplyOffset + append_size)) { LL_WARNS(LOG_TXT) << "Partial HTTP response produces break in image data for texture " << mID << ". Aborting load." << LL_ENDL; |