2 files changed, 25 insertions, 20 deletions
diff --git a/ChangeLog.txt b/ChangeLog.txt
index e69de29..e06910f 100644
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@@ -0,0 +1,4 @@
+2008-09-16  Nicholaz Beresford  <nicholaz@blueflash.cc>
+        * linden/indra/llmessage/llassetstorage.cpp:
+        VWR-3877: A nasty possible memory overwrite and two minor leaks.
diff --git a/linden/indra/llmessage/llassetstorage.cpp b/linden/indra/llmessage/llassetstorage.cpp
index a6077e5..83026ba 100644
--- a/linden/indra/llmessage/llassetstorage.cpp
+++ b/linden/indra/llmessage/llassetstorage.cpp
@@ -515,16 +515,19 @@ void LLAssetStorage::downloadCompleteCallback(
        S32 result,
        const LLUUID& file_id,
        LLAssetType::EType file_type,
-        void* user_data, LLExtStat ext_status)
+        void* callback_parm_req, LLExtStat ext_status)
 {
        lldebugs << "LLAssetStorage::downloadCompleteCallback() for " << file_id
                 << "," << LLAssetType::lookup(file_type) << llendl;
-        LLAssetRequest* req = (LLAssetRequest*)user_data;
+        // be careful! req may be a ptr to memory already freed (a timeout does this)
+        LLAssetRequest* req = (LLAssetRequest*)callback_parm_req;       
        if(!req)
        {
                llwarns << "LLAssetStorage::downloadCompleteCallback called without"
                        "a valid request." << llendl;
-                return;
+                // we can live with a null pointer, we're not allowed to deref the ptr anyway (see above)
+                // return;  
        }
        if (!gAssetStorage)
        {
@@ -532,12 +535,10 @@ void LLAssetStorage::downloadCompleteCallback(
                return;
        }
-        req->setUUID(file_id);
-        req->setType(file_type);
        if (LL_ERR_NOERR == result)
        {
                // we might have gotten a zero-size file
-                LLVFile vfile(gAssetStorage->mVFS, req->getUUID(), req->getType());
+                LLVFile vfile(gAssetStorage->mVFS, file_id, file_type);
                if (vfile.getSize() <= 0)
                {
                        llwarns << "downloadCompleteCallback has non-existent or zero-size asset " << req->getUUID() << llendl;
@@ -556,7 +557,7 @@ void LLAssetStorage::downloadCompleteCallback(
        {
                request_list_t::iterator curiter = iter++;
                LLAssetRequest* tmp = *curiter;
-                if ((tmp->getUUID() == req->getUUID()) && (tmp->getType()== req->getType()))
+                if ((tmp->getUUID() == file_id) && (tmp->getType() == file_type))
                {
                        requests.push_front(tmp);
                        iter = gAssetStorage->mPendingDownloads.erase(curiter);
@@ -569,7 +570,7 @@ void LLAssetStorage::downloadCompleteCallback(
                LLAssetRequest* tmp = *curiter;
                if (tmp->mDownCallback)
                {
-                        tmp->mDownCallback(gAssetStorage->mVFS, req->getUUID(), req->getType(), tmp->mUserData, result, ext_status);
+                        tmp->mDownCallback(gAssetStorage->mVFS, tmp->getUUID(), tmp->getType(), tmp->mUserData, result, ext_status);
                }
                delete tmp;
        }
@@ -665,10 +666,10 @@ void LLAssetStorage::downloadEstateAssetCompleteCallback(
        S32 result,
        const LLUUID& file_id,
        LLAssetType::EType file_type,
-        void* user_data,
+        void* callback_parm_req,
        LLExtStat ext_status)
 {
-        LLEstateAssetRequest *req = (LLEstateAssetRequest*)user_data;
+        LLEstateAssetRequest *req = (LLEstateAssetRequest*)callback_parm_req;
        if(!req)
        {
                llwarns << "LLAssetStorage::downloadEstateAssetCompleteCallback called"
@@ -682,12 +683,10 @@ void LLAssetStorage::downloadEstateAssetCompleteCallback(
                return;
        }
-        req->setUUID(file_id);
-        req->setType(file_type);
        if (LL_ERR_NOERR == result)
        {
                // we might have gotten a zero-size file
-                LLVFile vfile(gAssetStorage->mVFS, req->getUUID(), req->getAType());
+                LLVFile vfile(gAssetStorage->mVFS, file_id, file_type);
                if (vfile.getSize() <= 0)
                {
                        llwarns << "downloadCompleteCallback has non-existent or zero-size asset!" << llendl;
@@ -697,7 +696,9 @@ void LLAssetStorage::downloadEstateAssetCompleteCallback(
                }
        }
-        req->mDownCallback(gAssetStorage->mVFS, req->getUUID(), req->getAType(), req->mUserData, result, ext_status);
+        req->mDownCallback(gAssetStorage->mVFS, file_id, file_type, req->mUserData, result, ext_status);
+        delete req;
 }
 void LLAssetStorage::getInvItemAsset(const LLHost &object_sim, const LLUUID &agent_id, const LLUUID &session_id,
@@ -802,10 +803,10 @@ void LLAssetStorage::downloadInvItemCompleteCallback(
        S32 result,
        const LLUUID& file_id,
        LLAssetType::EType file_type,
-        void* user_data,
+        void* callback_parm_req,
        LLExtStat ext_status)
 {
-        LLInvItemRequest *req = (LLInvItemRequest*)user_data;
+        LLInvItemRequest *req = (LLInvItemRequest*)callback_parm_req;
        if(!req)
        {
                llwarns << "LLAssetStorage::downloadEstateAssetCompleteCallback called"
@@ -818,12 +819,10 @@ void LLAssetStorage::downloadInvItemCompleteCallback(
                return;
        }
-        req->setUUID(file_id);
-        req->setType(file_type);
        if (LL_ERR_NOERR == result)
        {
                // we might have gotten a zero-size file
-                LLVFile vfile(gAssetStorage->mVFS, req->getUUID(), req->getType());
+                LLVFile vfile(gAssetStorage->mVFS, file_id, file_type);
                if (vfile.getSize() <= 0)
                {
                        llwarns << "downloadCompleteCallback has non-existent or zero-size asset!" << llendl;
@@ -833,7 +832,9 @@ void LLAssetStorage::downloadInvItemCompleteCallback(
                }
        }
-        req->mDownCallback(gAssetStorage->mVFS, req->getUUID(), req->getType(), req->mUserData, result, ext_status);
+        req->mDownCallback(gAssetStorage->mVFS, file_id, file_type, req->mUserData, result, ext_status);
+        delete req;
 }
 /////////////////////////////////////////////////////////////////////////////////////////////////////////////////

diff --git a/ChangeLog.txt b/ChangeLog.txt index e69de29..e06910f 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt
@@ -0,0 +1,4 @@
		1	2008-09-16 Nicholaz Beresford <nicholaz@blueflash.cc>
		2
		3	* linden/indra/llmessage/llassetstorage.cpp:
		4	VWR-3877: A nasty possible memory overwrite and two minor leaks.


diff --git a/linden/indra/llmessage/llassetstorage.cpp b/linden/indra/llmessage/llassetstorage.cpp index a6077e5..83026ba 100644 --- a/linden/indra/llmessage/llassetstorage.cpp +++ b/linden/indra/llmessage/llassetstorage.cpp
@@ -515,16 +515,19 @@ void LLAssetStorage::downloadCompleteCallback(
515	S32 result,	515	S32 result,
516	const LLUUID& file_id,	516	const LLUUID& file_id,
517	LLAssetType::EType file_type,	517	LLAssetType::EType file_type,
518	void* user_data, LLExtStat ext_status)	518	void* callback_parm_req, LLExtStat ext_status)
519	{	519	{
520	lldebugs << "LLAssetStorage::downloadCompleteCallback() for " << file_id	520	lldebugs << "LLAssetStorage::downloadCompleteCallback() for " << file_id
521	<< "," << LLAssetType::lookup(file_type) << llendl;	521	<< "," << LLAssetType::lookup(file_type) << llendl;
522	LLAssetRequest* req = (LLAssetRequest*)user_data;	522
		523	// be careful! req may be a ptr to memory already freed (a timeout does this)
		524	LLAssetRequest* req = (LLAssetRequest*)callback_parm_req;
523	if(!req)	525	if(!req)
524	{	526	{
525	llwarns << "LLAssetStorage::downloadCompleteCallback called without"	527	llwarns << "LLAssetStorage::downloadCompleteCallback called without"
526	"a valid request." << llendl;	528	"a valid request." << llendl;
527	return;	529	// we can live with a null pointer, we're not allowed to deref the ptr anyway (see above)
		530	// return;
528	}	531	}
529	if (!gAssetStorage)	532	if (!gAssetStorage)
530	{	533	{
@@ -532,12 +535,10 @@ void LLAssetStorage::downloadCompleteCallback(
532	return;	535	return;
533	}	536	}
534		537
535	req->setUUID(file_id);
536	req->setType(file_type);
537	if (LL_ERR_NOERR == result)	538	if (LL_ERR_NOERR == result)
538	{	539	{
539	// we might have gotten a zero-size file	540	// we might have gotten a zero-size file
540	LLVFile vfile(gAssetStorage->mVFS, req->getUUID(), req->getType());	541	LLVFile vfile(gAssetStorage->mVFS, file_id, file_type);
541	if (vfile.getSize() <= 0)	542	if (vfile.getSize() <= 0)
542	{	543	{
543	llwarns << "downloadCompleteCallback has non-existent or zero-size asset " << req->getUUID() << llendl;	544	llwarns << "downloadCompleteCallback has non-existent or zero-size asset " << req->getUUID() << llendl;
@@ -556,7 +557,7 @@ void LLAssetStorage::downloadCompleteCallback(
556	{	557	{
557	request_list_t::iterator curiter = iter++;	558	request_list_t::iterator curiter = iter++;
558	LLAssetRequest* tmp = *curiter;	559	LLAssetRequest* tmp = *curiter;
559	if ((tmp->getUUID() == req->getUUID()) && (tmp->getType()== req->getType()))	560	if ((tmp->getUUID() == file_id) && (tmp->getType() == file_type))
560	{	561	{
561	requests.push_front(tmp);	562	requests.push_front(tmp);
562	iter = gAssetStorage->mPendingDownloads.erase(curiter);	563	iter = gAssetStorage->mPendingDownloads.erase(curiter);
@@ -569,7 +570,7 @@ void LLAssetStorage::downloadCompleteCallback(
569	LLAssetRequest* tmp = *curiter;	570	LLAssetRequest* tmp = *curiter;
570	if (tmp->mDownCallback)	571	if (tmp->mDownCallback)
571	{	572	{
572	tmp->mDownCallback(gAssetStorage->mVFS, req->getUUID(), req->getType(), tmp->mUserData, result, ext_status);	573	tmp->mDownCallback(gAssetStorage->mVFS, tmp->getUUID(), tmp->getType(), tmp->mUserData, result, ext_status);
573	}	574	}
574	delete tmp;	575	delete tmp;
575	}	576	}
@@ -665,10 +666,10 @@ void LLAssetStorage::downloadEstateAssetCompleteCallback(
665	S32 result,	666	S32 result,
666	const LLUUID& file_id,	667	const LLUUID& file_id,
667	LLAssetType::EType file_type,	668	LLAssetType::EType file_type,
668	void* user_data,	669	void* callback_parm_req,
669	LLExtStat ext_status)	670	LLExtStat ext_status)
670	{	671	{
671	LLEstateAssetRequest req = (LLEstateAssetRequest)user_data;	672	LLEstateAssetRequest req = (LLEstateAssetRequest)callback_parm_req;
672	if(!req)	673	if(!req)
673	{	674	{
674	llwarns << "LLAssetStorage::downloadEstateAssetCompleteCallback called"	675	llwarns << "LLAssetStorage::downloadEstateAssetCompleteCallback called"
@@ -682,12 +683,10 @@ void LLAssetStorage::downloadEstateAssetCompleteCallback(
682	return;	683	return;
683	}	684	}
684		685
685	req->setUUID(file_id);
686	req->setType(file_type);
687	if (LL_ERR_NOERR == result)	686	if (LL_ERR_NOERR == result)
688	{	687	{
689	// we might have gotten a zero-size file	688	// we might have gotten a zero-size file
690	LLVFile vfile(gAssetStorage->mVFS, req->getUUID(), req->getAType());	689	LLVFile vfile(gAssetStorage->mVFS, file_id, file_type);
691	if (vfile.getSize() <= 0)	690	if (vfile.getSize() <= 0)
692	{	691	{
693	llwarns << "downloadCompleteCallback has non-existent or zero-size asset!" << llendl;	692	llwarns << "downloadCompleteCallback has non-existent or zero-size asset!" << llendl;
@@ -697,7 +696,9 @@ void LLAssetStorage::downloadEstateAssetCompleteCallback(
697	}	696	}
698	}	697	}
699		698
700	req->mDownCallback(gAssetStorage->mVFS, req->getUUID(), req->getAType(), req->mUserData, result, ext_status);	699	req->mDownCallback(gAssetStorage->mVFS, file_id, file_type, req->mUserData, result, ext_status);
		700
		701	delete req;
701	}	702	}
702		703
703	void LLAssetStorage::getInvItemAsset(const LLHost &object_sim, const LLUUID &agent_id, const LLUUID &session_id,	704	void LLAssetStorage::getInvItemAsset(const LLHost &object_sim, const LLUUID &agent_id, const LLUUID &session_id,
@@ -802,10 +803,10 @@ void LLAssetStorage::downloadInvItemCompleteCallback(
802	S32 result,	803	S32 result,
803	const LLUUID& file_id,	804	const LLUUID& file_id,
804	LLAssetType::EType file_type,	805	LLAssetType::EType file_type,
805	void* user_data,	806	void* callback_parm_req,
806	LLExtStat ext_status)	807	LLExtStat ext_status)
807	{	808	{
808	LLInvItemRequest req = (LLInvItemRequest)user_data;	809	LLInvItemRequest req = (LLInvItemRequest)callback_parm_req;
809	if(!req)	810	if(!req)
810	{	811	{
811	llwarns << "LLAssetStorage::downloadEstateAssetCompleteCallback called"	812	llwarns << "LLAssetStorage::downloadEstateAssetCompleteCallback called"
@@ -818,12 +819,10 @@ void LLAssetStorage::downloadInvItemCompleteCallback(
818	return;	819	return;
819	}	820	}
820		821
821	req->setUUID(file_id);
822	req->setType(file_type);
823	if (LL_ERR_NOERR == result)	822	if (LL_ERR_NOERR == result)
824	{	823	{
825	// we might have gotten a zero-size file	824	// we might have gotten a zero-size file
826	LLVFile vfile(gAssetStorage->mVFS, req->getUUID(), req->getType());	825	LLVFile vfile(gAssetStorage->mVFS, file_id, file_type);
827	if (vfile.getSize() <= 0)	826	if (vfile.getSize() <= 0)
828	{	827	{
829	llwarns << "downloadCompleteCallback has non-existent or zero-size asset!" << llendl;	828	llwarns << "downloadCompleteCallback has non-existent or zero-size asset!" << llendl;
@@ -833,7 +832,9 @@ void LLAssetStorage::downloadInvItemCompleteCallback(
833	}	832	}
834	}	833	}
835		834
836	req->mDownCallback(gAssetStorage->mVFS, req->getUUID(), req->getType(), req->mUserData, result, ext_status);	835	req->mDownCallback(gAssetStorage->mVFS, file_id, file_type, req->mUserData, result, ext_status);
		836
		837	delete req;
837	}	838	}
838		839
839	/////////////////////////////////////////////////////////////////////////////////////////////////////////////////	840	/////////////////////////////////////////////////////////////////////////////////////////////////////////////////