SNOW-492: LLDataPacker::unpackstring() is unsafe.

Patch by Robin Cornelius.
author: Jacek Antonelli 2010-02-18 19:19:12 -0600
committer: Jacek Antonelli 2010-02-18 19:19:12 -0600
commit: 76937222933d5830a9e1de80a86072c31039bc12 (patch)
tree: 5f59369af66088b379bbcdcaccf0fcd8fd751607 /linden
parent: SNOW-488: Malformed animation crash. (diff)
download: meta-impy-76937222933d5830a9e1de80a86072c31039bc12.zip
meta-impy-76937222933d5830a9e1de80a86072c31039bc12.tar.gz
meta-impy-76937222933d5830a9e1de80a86072c31039bc12.tar.bz2
meta-impy-76937222933d5830a9e1de80a86072c31039bc12.tar.xz
2 files changed, 20 insertions, 7 deletions
diff --git a/linden/indra/llcharacter/llkeyframemotion.cpp b/linden/indra/llcharacter/llkeyframemotion.cpp
index 46dee09..e6ef767 100644
--- a/linden/indra/llcharacter/llkeyframemotion.cpp
+++ b/linden/indra/llcharacter/llkeyframemotion.cpp
@@ -1355,8 +1355,8 @@ BOOL LLKeyframeMotion::deserialize(LLDataPacker& dp)
                }
                else
                {
-                        llwarns << "joint not found: " << joint_name << llendl;
+                        llwarns << "joint not found: " << llendl;
-                        //return FALSE;
+                        return FALSE;
                }
                joint_motion->mJointName = joint_name;
diff --git a/linden/indra/llmessage/lldatapacker.cpp b/linden/indra/llmessage/lldatapacker.cpp
index 1cdb475..e4243a5 100644
--- a/linden/indra/llmessage/lldatapacker.cpp
+++ b/linden/indra/llmessage/lldatapacker.cpp
@@ -186,18 +186,31 @@ BOOL LLDataPackerBinaryBuffer::packString(const std::string& value, const char *
        return success;
 }
 BOOL LLDataPackerBinaryBuffer::unpackString(std::string& value, const char *name)
 {
-        BOOL success = TRUE;
+        //Sanitise the string before attemping ANY buffer operations
-        S32 length = (S32)strlen((char *)mCurBufferp) + 1; /*Flawfinder: ignore*/
+        U8 * pos;
+        S32 length=0;
+        for(pos=mCurBufferp;pos<(mBufferp+mBufferSize);pos++)
+        {
+                length++;
+                if((*pos)==0)
+                        break;
+        }
-        success &= verifyLength(length, name);
+        if(length>=mBufferSize)
+        {
+                llwarns << "Unpack string failed, null termination not found"<<llendl;
+                return false;
+        }
+        if(!verifyLength(length, name))
+                return false;
        value = std::string((char*)mCurBufferp); // We already assume NULL termination calling strlen()
        
        mCurBufferp += length;
-        return success;
+        return true;
 }
 BOOL LLDataPackerBinaryBuffer::packBinaryData(const U8 *value, S32 size, const char *name)
author	Jacek Antonelli	2010-02-18 19:19:12 -0600
committer	Jacek Antonelli	2010-02-18 19:19:12 -0600
commit	76937222933d5830a9e1de80a86072c31039bc12 (patch)
tree	5f59369af66088b379bbcdcaccf0fcd8fd751607 /linden
parent	SNOW-488: Malformed animation crash. (diff)
download	meta-impy-76937222933d5830a9e1de80a86072c31039bc12.zip meta-impy-76937222933d5830a9e1de80a86072c31039bc12.tar.gz meta-impy-76937222933d5830a9e1de80a86072c31039bc12.tar.bz2 meta-impy-76937222933d5830a9e1de80a86072c31039bc12.tar.xz