Cool VL Viewer forum

View unanswered posts | View active topics It is currently 2025-01-26 07:37:06



Reply to topic  [ 2 posts ] 
Buffer overflow in llprimitive.cpp / unpackTEMessage 
Author Message

Joined: 2011-10-07 10:39:20
Posts: 207
Reply with quote
Visual Studio Analyzer found this one:

Code:
S32 LLPrimitive::unpackTEMessage(LLDataPacker& dp)
{
   // Avoid construction of 90 UUIDs + 45 LLColor4U + 90 F32 + 135 S16 +
   // 135 U8 + a 4096 bytes buffer per call...
   static LLTEContents data;
   memset((void*)&data, 0, sizeof(data));

   S32 size;
   if (!dp.unpackBinaryData(data.packed_buffer, size, "TextureEntry"))
   {
      llwarns << "Bad texture entry block !  Aborted !" << llendl;
      return TEM_INVALID;
   }
   if (size == 0)
   {
      return 0;
   }
   if ((U32)size > MAX_TE_BUFFER)
   {
      llwarns << "Excessive buffer size detected in texture entry; truncating."
            << llendl;
      size = MAX_TE_BUFFER - 1;
   }
   // The last field is not zero-terminated. Rather than a special case for
   // unpack functions, just add the missing null byte.
   data.packed_buffer[size++] = 0x00;


If the size is exactly 4096 (= MAX_TE_BUFFER), this overflows the data.packed_buffer and writes a 0-byte beyond the end.

Fix is probably to check for >=

Code:
if ((U32)size >= MAX_TE_BUFFER)


2024-05-06 14:17:49
Profile

Joined: 2009-03-17 18:42:51
Posts: 5901
Reply with quote
Good catch, thanks !

Fixed for next releases.


2024-05-06 14:54:20
Profile WWW
Display posts from previous:  Sort by  
Reply to topic   [ 2 posts ] 

Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group
Designed by ST Software.