From 6faa7fc7f9c47ed4a15a1fdf9a93efab0f163e74 Mon Sep 17 00:00:00 2001 From: Melanie Date: Sat, 17 Nov 2012 02:31:56 +0100 Subject: Prevent a buffer overflow in asset receiving --- .../Agent/AssetTransaction/AssetXferUploader.cs | 31 ++++++++++++++-------- 1 file changed, 20 insertions(+), 11 deletions(-) (limited to 'OpenSim/Region/CoreModules') diff --git a/OpenSim/Region/CoreModules/Agent/AssetTransaction/AssetXferUploader.cs b/OpenSim/Region/CoreModules/Agent/AssetTransaction/AssetXferUploader.cs index 4cedfe6..4b54843 100644 --- a/OpenSim/Region/CoreModules/Agent/AssetTransaction/AssetXferUploader.cs +++ b/OpenSim/Region/CoreModules/Agent/AssetTransaction/AssetXferUploader.cs @@ -100,18 +100,27 @@ namespace OpenSim.Region.CoreModules.Agent.AssetTransaction if (XferID == xferID) { - if (m_asset.Data.Length > 1) - { - byte[] destinationArray = new byte[m_asset.Data.Length + data.Length]; - Array.Copy(m_asset.Data, 0, destinationArray, 0, m_asset.Data.Length); - Array.Copy(data, 0, destinationArray, m_asset.Data.Length, data.Length); - m_asset.Data = destinationArray; - } - else + lock (this) { - byte[] buffer2 = new byte[data.Length - 4]; - Array.Copy(data, 4, buffer2, 0, data.Length - 4); - m_asset.Data = buffer2; + int assetLength = m_asset.Data.Length; + int dataLength = data.Length; + + if (m_asset.Data.Length > 1) + { + byte[] destinationArray = new byte[assetLength + dataLength]; + Array.Copy(m_asset.Data, 0, destinationArray, 0, assetLength); + Array.Copy(data, 0, destinationArray, assetLength, dataLength); + m_asset.Data = destinationArray; + } + else + { + if (dataLength > 4) + { + byte[] buffer2 = new byte[dataLength - 4]; + Array.Copy(data, 4, buffer2, 0, dataLength - 4); + m_asset.Data = buffer2; + } + } } ourClient.SendConfirmXfer(xferID, packetID); -- cgit v1.1