MAINT-7081 [FIXED] Access (write) violation / buffer overrun in LLTextureFetchWorker::doWork()

The trouble lines are: U8 * buffer = (U8 *) ALLOCATE_MEM(LLImageBase::getPrivatePool(), total_size); if (cur_size > 0) { memcpy(buffer, mFormattedImage->getData(), cur_size); } If 'cur_size > mHttpReplyOffset + append_size' then 'total_size -= src_offset' will cause total_size to be smaller than cur_size causing a write access violation on the memcpy. Since the response is invalid it seemed best to make it follow the other failed partial condition. (transplanted from 737e28ec6b4d74f3ff915a4effc13d7b615a6a9b)
author: Kitty Barnett <develop@catznip.com> 2017-10-12 22:55:15 +0200
committer: Kitty Barnett <develop@catznip.com> 2017-10-12 22:55:15 +0200
commit: 18fa2e6471fe25036341f0375a2f4d4887c8c378 (patch)
tree: 97521e311a7da38d0c90ba72955fd33f55a58a4c /indra/newview
parent: 5a7b36d506c8fab720c466a8dff2e3fc79a14390 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/indra/newview/lltexturefetch.cpp b/indra/newview/lltexturefetch.cpp
index 1085b15976..f917faadd4 100644
--- a/indra/newview/lltexturefetch.cpp
+++ b/indra/newview/lltexturefetch.cpp
@@ -1746,7 +1746,7 @@ bool LLTextureFetchWorker::doWork(S32 param)
 				// In case of a partial response, our offset may
 				// not be trivially contiguous with the data we have.
 				// Get back into alignment.
-				if (mHttpReplyOffset > cur_size)
+				if ( (mHttpReplyOffset > cur_size) || (cur_size > mHttpReplyOffset + append_size))
 				{
 					LL_WARNS(LOG_TXT) << "Partial HTTP response produces break in image data for texture "
 									  << mID << ".  Aborting load."  << LL_ENDL;
author	Kitty Barnett <develop@catznip.com>	2017-10-12 22:55:15 +0200
committer	Kitty Barnett <develop@catznip.com>	2017-10-12 22:55:15 +0200
commit	18fa2e6471fe25036341f0375a2f4d4887c8c378 (patch)
tree	97521e311a7da38d0c90ba72955fd33f55a58a4c /indra/newview
parent	5a7b36d506c8fab720c466a8dff2e3fc79a14390 (diff)