summaryrefslogtreecommitdiff
path: root/indra
diff options
context:
space:
mode:
authorKitty Barnett <develop@catznip.com>2013-02-19 21:21:41 +0100
committerKitty Barnett <develop@catznip.com>2013-02-19 21:21:41 +0100
commita6e8e60f5051ae27cb771e0404f1d5579ab85ebb (patch)
tree9519e6b7cbbbc86ec564c66c44f8e041fc2b2f6c /indra
parent64a4a13397ea7b895ebbeb707bdba72e2d97ff6b (diff)
Don't overrun the message buffer extracting materials ids when the region isn't sending them
Diffstat (limited to 'indra')
-rw-r--r--indra/llprimitive/llprimitive.cpp23
1 files changed, 19 insertions, 4 deletions
diff --git a/indra/llprimitive/llprimitive.cpp b/indra/llprimitive/llprimitive.cpp
index d28cd89a1b..1a177f1c14 100644
--- a/indra/llprimitive/llprimitive.cpp
+++ b/indra/llprimitive/llprimitive.cpp
@@ -1075,6 +1075,7 @@ S32 LLPrimitive::unpackTEField(U8 *cur_ptr, U8 *buffer_end, U8 *data_ptr, U8 dat
}
cur_ptr += data_size;
}
+ llassert(cur_ptr <= buffer_end);
return (S32)(cur_ptr - start_loc);
}
@@ -1328,8 +1329,15 @@ S32 LLPrimitive::unpackTEMessage(LLMessageSystem* mesgsys, char const* block_nam
cur_ptr += unpackTEField(cur_ptr, packed_buffer+size, (U8 *)media_flags, 1, face_count, MVT_U8);
cur_ptr++;
cur_ptr += unpackTEField(cur_ptr, packed_buffer+size, (U8 *)glow, 1, face_count, MVT_U8);
- cur_ptr++;
- cur_ptr += unpackTEField(cur_ptr, packed_buffer+size, (U8 *)material_data, 16, face_count, MVT_LLUUID);
+ if (cur_ptr < packed_buffer + size)
+ {
+ cur_ptr++;
+ cur_ptr += unpackTEField(cur_ptr, packed_buffer+size, (U8 *)material_data, 16, face_count, MVT_LLUUID);
+ }
+ else
+ {
+ memset(material_data, 0, sizeof(material_data));
+ }
for (U32 i = 0; i < face_count; i++)
{
@@ -1429,8 +1437,15 @@ S32 LLPrimitive::unpackTEMessage(LLDataPacker &dp)
cur_ptr += unpackTEField(cur_ptr, packed_buffer+size, (U8 *)media_flags, 1, face_count, MVT_U8);
cur_ptr++;
cur_ptr += unpackTEField(cur_ptr, packed_buffer+size, (U8 *)glow, 1, face_count, MVT_U8);
- cur_ptr++;
- cur_ptr += unpackTEField(cur_ptr, packed_buffer+size, (U8 *)material_data, 16, face_count, MVT_LLUUID);
+ if (cur_ptr < packed_buffer + size)
+ {
+ cur_ptr++;
+ cur_ptr += unpackTEField(cur_ptr, packed_buffer+size, (U8 *)material_data, 16, face_count, MVT_LLUUID);
+ }
+ else
+ {
+ memset(material_data, 0, sizeof(material_data));
+ }
for (i = 0; i < face_count; i++)
{