S32 LLPrimitive::unpackTEMessage(LLDataPacker& dp) { // Avoid construction of 90 UUIDs + 45 LLColor4U + 90 F32 + 135 S16 + // 135 U8 + a 4096 bytes buffer per call... static LLTEContents data; memset((void*)&data, 0, sizeof(data));
S32 size; if (!dp.unpackBinaryData(data.packed_buffer, size, "TextureEntry")) { llwarns << "Bad texture entry block ! Aborted !" << llendl; return TEM_INVALID; } if (size == 0) { return 0; } if ((U32)size > MAX_TE_BUFFER) { llwarns << "Excessive buffer size detected in texture entry; truncating." << llendl; size = MAX_TE_BUFFER - 1; } // The last field is not zero-terminated. Rather than a special case for // unpack functions, just add the missing null byte. data.packed_buffer[size++] = 0x00;
If the size is exactly 4096 (= MAX_TE_BUFFER), this overflows the data.packed_buffer and writes a 0-byte beyond the end.
Users browsing this forum: No registered users and 4 guests
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum