MAINT-7081 [FIXED] Access (write) violation / buffer overrun in LLTextureFetchWorker::doWork()

The trouble lines are: U8 * buffer = (U8 *) ALLOCATE_MEM(LLImageBase::getPrivatePool(), total_size); if (cur_size > 0) { memcpy(buffer, mFormattedImage->getData(), cur_size); } If 'cur_size > mHttpReplyOffset + append_size' then 'total_size -= src_offset' will cause total_size to be smaller than cur_size causing a write access violation on the memcpy. Since the response is invalid it seemed best to make it follow the other failed partial condition. (transplanted from 737e28ec6b4d74f3ff915a4effc13d7b615a6a9b)
2017-10-12 22:55:15 +02:00 · 2017-10-12 22:55:15 +02:00 · 18fa2e6471
parent 5a7b36d506
commit 18fa2e6471
2 changed files with 2 additions and 1 deletions
--- a/doc/contributions.txt
+++ b/doc/contributions.txt
@ -825,6 +825,7 @@ Kitty Barnett
 	MAINT-6568
 	STORM-2149
 	MAINT-7581
+	MAINT-7081
 Kolor Fall
 Komiko Okamoto
 Korvel Noh
--- a/indra/newview/lltexturefetch.cpp
+++ b/indra/newview/lltexturefetch.cpp
@ -1746,7 +1746,7 @@ bool LLTextureFetchWorker::doWork(S32 param)
 				// In case of a partial response, our offset may
 				// not be trivially contiguous with the data we have.
 				// Get back into alignment.
-				if (mHttpReplyOffset > cur_size)
+				if ( (mHttpReplyOffset > cur_size) || (cur_size > mHttpReplyOffset + append_size))
 				{
 					LL_WARNS(LOG_TXT) << "Partial HTTP response produces break in image data for texture "
 									  << mID << ".  Aborting load."  << LL_ENDL;