Cool VL Viewer forum
http://sldev.free.fr/forum/

Buffer overflow in llprimitive.cpp / unpackTEMessage
http://sldev.free.fr/forum/viewtopic.php?f=4&t=2495		 Page 1 of 1
Author:  kathrine [ 2024-05-06 14:17:49 ]
Post subject:  Buffer overflow in llprimitive.cpp / unpackTEMessage
Visual Studio Analyzer found this one:

Code:
S32 LLPrimitive::unpackTEMessage(LLDataPacker& dp)
{
   // Avoid construction of 90 UUIDs + 45 LLColor4U + 90 F32 + 135 S16 +
   // 135 U8 + a 4096 bytes buffer per call...
   static LLTEContents data;
   memset((void*)&data, 0, sizeof(data));

   S32 size;
   if (!dp.unpackBinaryData(data.packed_buffer, size, "TextureEntry"))
   {
      llwarns << "Bad texture entry block !  Aborted !" << llendl;
      return TEM_INVALID;
   }
   if (size == 0)
   {
      return 0;
   }
   if ((U32)size > MAX_TE_BUFFER)
   {
      llwarns << "Excessive buffer size detected in texture entry; truncating."
            << llendl;
      size = MAX_TE_BUFFER - 1;
   }
   // The last field is not zero-terminated. Rather than a special case for
   // unpack functions, just add the missing null byte.
   data.packed_buffer[size++] = 0x00;


If the size is exactly 4096 (= MAX_TE_BUFFER), this overflows the data.packed_buffer and writes a 0-byte beyond the end.

Fix is probably to check for >=

Code:
if ((U32)size >= MAX_TE_BUFFER)
Author:  Henri Beauchamp [ 2024-05-06 14:54:20 ]
Post subject:  Re: Buffer overflow in llprimitive.cpp / unpackTEMessage
Good catch, thanks !

Fixed for next releases.
Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/