From d0ac1505a7aebc98219fb5f60f6bfb73df6586ec Mon Sep 17 00:00:00 2001
From: Andrey Kleshchev <andreykproductengine@lindenlab.com>
Date: Tue, 13 Apr 2021 00:40:00 +0300
Subject: SL-15102 Crash at load_face_from_dom_triangles

---
 indra/llprimitive/lldaeloader.cpp | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'indra/llprimitive')

diff --git a/indra/llprimitive/lldaeloader.cpp b/indra/llprimitive/lldaeloader.cpp
index dfa29fb539..33e90555fa 100644
--- a/indra/llprimitive/lldaeloader.cpp
+++ b/indra/llprimitive/lldaeloader.cpp
@@ -198,6 +198,17 @@ LLModel::EModelStatus load_face_from_dom_triangles(std::vector<LLVolumeFace>& fa
 	}
 	
 	LLVolumeFace::VertexMapData::PointMap point_map;
+
+    if (idx_stride <= 0
+        || (pos_source && pos_offset >= idx_stride)
+        || (tc_source && tc_offset >= idx_stride)
+        || (norm_source && norm_offset >= idx_stride))
+    {
+        // Looks like these offsets should fit inside idx_stride
+        // Might be good idea to also check idx.getCount()%idx_stride != 0
+        LL_WARNS() << "Invalid pos_offset " << pos_offset <<  ", tc_offset " << tc_offset << " or norm_offset " << norm_offset << LL_ENDL;
+        return LLModel::BAD_ELEMENT;
+    }
 	
 	for (U32 i = 0; i < idx.getCount(); i += idx_stride)
 	{
-- 
cgit v1.2.3


From 250212d614982041ad553428f76733f6ddd4e224 Mon Sep 17 00:00:00 2001
From: Andrey Kleshchev <andreykproductengine@lindenlab.com>
Date: Thu, 29 Apr 2021 00:09:00 +0300
Subject: SL-15183 Crash at LLModel::matchMaterialOrder

---
 indra/llprimitive/llmodel.cpp | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'indra/llprimitive')

diff --git a/indra/llprimitive/llmodel.cpp b/indra/llprimitive/llmodel.cpp
index 702a1b5238..1b34068ece 100644
--- a/indra/llprimitive/llmodel.cpp
+++ b/indra/llprimitive/llmodel.cpp
@@ -1262,6 +1262,14 @@ bool LLModel::matchMaterialOrder(LLModel* ref, int& refFaceCnt, int& modelFaceCn
 		LL_INFOS("MESHSKININFO")<<"Material of model is not a subset of reference."<<LL_ENDL;
 		return false;
 	}
+
+    if (mMaterialList.size() > ref->mMaterialList.size())
+    {
+        LL_INFOS("MESHSKININFO") << "Material of model has more materials than a reference." << LL_ENDL;
+        // We passed isMaterialListSubset, so materials are a subset, but subset isn't supposed to be
+        // larger than original and if we keep going, reordering will cause a crash
+        return false;
+    }
 	
 	std::map<std::string, U32> index_map;
 	
-- 
cgit v1.2.3