From 8df303ed8506a0c4fe8965130e1ac9df75d156b1 Mon Sep 17 00:00:00 2001
From: Andrey Kleshchev <andreykproductengine@lindenlab.com>
Date: Mon, 21 Jul 2025 19:30:05 +0300
Subject: #4399 Crash at load_face_from_dom_triangles

Since these offsets are used for idx[i+offset] where i starts from 0,
they shouldn't be below 0 to not go out of bounds.
---
 indra/llprimitive/lldaeloader.cpp | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'indra/llprimitive/lldaeloader.cpp')

diff --git a/indra/llprimitive/lldaeloader.cpp b/indra/llprimitive/lldaeloader.cpp
index a11f9b5ca2..bfcd84a43d 100644
--- a/indra/llprimitive/lldaeloader.cpp
+++ b/indra/llprimitive/lldaeloader.cpp
@@ -204,12 +204,15 @@ LLModel::EModelStatus load_face_from_dom_triangles(
 
     if (idx_stride <= 0
         || (pos_source && pos_offset >= idx_stride)
+        || (pos_source && pos_offset < 0)
         || (tc_source && tc_offset >= idx_stride)
-        || (norm_source && norm_offset >= idx_stride))
+        || (tc_source && tc_offset < 0)
+        || (norm_source && norm_offset >= idx_stride)
+        || (norm_source && norm_offset < 0))
     {
         // Looks like these offsets should fit inside idx_stride
         // Might be good idea to also check idx.getCount()%idx_stride != 0
-        LL_WARNS() << "Invalid pos_offset " << pos_offset <<  ", tc_offset " << tc_offset << " or norm_offset " << norm_offset << LL_ENDL;
+        LL_WARNS() << "Invalid idx_stride " << idx_stride << ", pos_offset " << pos_offset <<  ", tc_offset " << tc_offset << " or norm_offset " << norm_offset << LL_ENDL;
         return LLModel::BAD_ELEMENT;
     }
 
-- 
cgit v1.2.3