For MAINT-2303 Fix potential stack smash from well-crafted meshes

author: Graham Madarasz (Graham) <graham@lindenlab.com> 2013-03-04 11:10:10 -0800
committer: Graham Madarasz (Graham) <graham@lindenlab.com> 2013-03-04 11:10:10 -0800
commit: e7e617f42351876e3d003f885e89d19a02ab6f48 (patch)
tree: 9cefb62a6fe521e9e0f89d107a07830a489e65da /indra
parent: 3849ee79c3810226d1129bcbeb6bd69144aba243 (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/indra/newview/llvovolume.cpp b/indra/newview/llvovolume.cpp
index c0f80cf855..c7d317c526 100644
--- a/indra/newview/llvovolume.cpp
+++ b/indra/newview/llvovolume.cpp
@@ -3839,7 +3839,8 @@ void LLRiggedVolume::update(const LLMeshSkinInfo* skin, LLVOAvatar* avatar, cons
 	LLMatrix4a mp[64];
 	LLMatrix4* mat = (LLMatrix4*) mp;
 	
-	for (U32 j = 0; j < skin->mJointNames.size(); ++j)
+	U32 maxJoints = llmin(skin->mJointNames.size(), 64);
+	for (U32 j = 0; j < maxJoints; ++j)
 	{
 		LLJoint* joint = avatar->getJoint(skin->mJointNames[j]);
 		if (joint)
@@ -3894,8 +3895,11 @@ void LLRiggedVolume::update(const LLMeshSkinInfo* skin, LLVOAvatar* avatar, cons
 						F32 w = wght[k];
 
 						LLMatrix4a src;
-						src.setMul(mp[idx[k]], w);
-
+						// Insure ref'd bone is in our clamped array of mats
+						llassert(idx[k] < 64);
+						// don't read garbage off the stack in release
+						if (idx[k] < 64)
+							src.setMul(mp[idx[k]], w);
 						final_mat.add(src);
 					}
author	Graham Madarasz (Graham) <graham@lindenlab.com>	2013-03-04 11:10:10 -0800
committer	Graham Madarasz (Graham) <graham@lindenlab.com>	2013-03-04 11:10:10 -0800
commit	e7e617f42351876e3d003f885e89d19a02ab6f48 (patch)
tree	9cefb62a6fe521e9e0f89d107a07830a489e65da /indra
parent	3849ee79c3810226d1129bcbeb6bd69144aba243 (diff)