diff options
Diffstat (limited to '')
| -rw-r--r-- | ChangeLog.txt | 6 | ||||
| -rw-r--r-- | linden/indra/llcharacter/llkeyframemotion.cpp | 4 | ||||
| -rw-r--r-- | linden/indra/llmessage/lldatapacker.cpp | 23 |
3 files changed, 26 insertions, 7 deletions
diff --git a/ChangeLog.txt b/ChangeLog.txt index c195870..22e9a0a 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt | |||
| @@ -1,5 +1,11 @@ | |||
| 1 | 2010-02-18 Jacek Antonelli <jacek.antonelli@gmail.com> | 1 | 2010-02-18 Jacek Antonelli <jacek.antonelli@gmail.com> |
| 2 | 2 | ||
| 3 | * SNOW-492: LLDataPacker::unpackstring() is unsafe. | ||
| 4 | Patch by Robin Cornelius. | ||
| 5 | |||
| 6 | modified: linden/indra/llmessage/lldatapacker.cpp | ||
| 7 | |||
| 8 | |||
| 3 | * SNOW-488: Malformed animation crash. | 9 | * SNOW-488: Malformed animation crash. |
| 4 | Patch by Robin Cornelius. | 10 | Patch by Robin Cornelius. |
| 5 | 11 | ||
diff --git a/linden/indra/llcharacter/llkeyframemotion.cpp b/linden/indra/llcharacter/llkeyframemotion.cpp index 46dee09..e6ef767 100644 --- a/linden/indra/llcharacter/llkeyframemotion.cpp +++ b/linden/indra/llcharacter/llkeyframemotion.cpp | |||
| @@ -1355,8 +1355,8 @@ BOOL LLKeyframeMotion::deserialize(LLDataPacker& dp) | |||
| 1355 | } | 1355 | } |
| 1356 | else | 1356 | else |
| 1357 | { | 1357 | { |
| 1358 | llwarns << "joint not found: " << joint_name << llendl; | 1358 | llwarns << "joint not found: " << llendl; |
| 1359 | //return FALSE; | 1359 | return FALSE; |
| 1360 | } | 1360 | } |
| 1361 | 1361 | ||
| 1362 | joint_motion->mJointName = joint_name; | 1362 | joint_motion->mJointName = joint_name; |
diff --git a/linden/indra/llmessage/lldatapacker.cpp b/linden/indra/llmessage/lldatapacker.cpp index 1cdb475..e4243a5 100644 --- a/linden/indra/llmessage/lldatapacker.cpp +++ b/linden/indra/llmessage/lldatapacker.cpp | |||
| @@ -186,18 +186,31 @@ BOOL LLDataPackerBinaryBuffer::packString(const std::string& value, const char * | |||
| 186 | return success; | 186 | return success; |
| 187 | } | 187 | } |
| 188 | 188 | ||
| 189 | |||
| 190 | BOOL LLDataPackerBinaryBuffer::unpackString(std::string& value, const char *name) | 189 | BOOL LLDataPackerBinaryBuffer::unpackString(std::string& value, const char *name) |
| 191 | { | 190 | { |
| 192 | BOOL success = TRUE; | 191 | //Sanitise the string before attemping ANY buffer operations |
| 193 | S32 length = (S32)strlen((char *)mCurBufferp) + 1; /*Flawfinder: ignore*/ | 192 | U8 * pos; |
| 193 | S32 length=0; | ||
| 194 | for(pos=mCurBufferp;pos<(mBufferp+mBufferSize);pos++) | ||
| 195 | { | ||
| 196 | length++; | ||
| 197 | if((*pos)==0) | ||
| 198 | break; | ||
| 199 | } | ||
| 194 | 200 | ||
| 195 | success &= verifyLength(length, name); | 201 | if(length>=mBufferSize) |
| 202 | { | ||
| 203 | llwarns << "Unpack string failed, null termination not found"<<llendl; | ||
| 204 | return false; | ||
| 205 | } | ||
| 206 | |||
| 207 | if(!verifyLength(length, name)) | ||
| 208 | return false; | ||
| 196 | 209 | ||
| 197 | value = std::string((char*)mCurBufferp); // We already assume NULL termination calling strlen() | 210 | value = std::string((char*)mCurBufferp); // We already assume NULL termination calling strlen() |
| 198 | 211 | ||
| 199 | mCurBufferp += length; | 212 | mCurBufferp += length; |
| 200 | return success; | 213 | return true; |
| 201 | } | 214 | } |
| 202 | 215 | ||
| 203 | BOOL LLDataPackerBinaryBuffer::packBinaryData(const U8 *value, S32 size, const char *name) | 216 | BOOL LLDataPackerBinaryBuffer::packBinaryData(const U8 *value, S32 size, const char *name) |