From 18fa2e6471fe25036341f0375a2f4d4887c8c378 Mon Sep 17 00:00:00 2001
From: Kitty Barnett <develop@catznip.com>
Date: Thu, 12 Oct 2017 22:55:15 +0200
Subject: [PATCH] MAINT-7081 [FIXED] Access (write) violation / buffer overrun
 in LLTextureFetchWorker::doWork()

The trouble lines are:
			U8 * buffer = (U8 *) ALLOCATE_MEM(LLImageBase::getPrivatePool(), total_size);
			if (cur_size > 0)
			{
				memcpy(buffer, mFormattedImage->getData(), cur_size);
			}

If 'cur_size > mHttpReplyOffset + append_size' then 'total_size -= src_offset' will cause
total_size to be smaller than cur_size causing a write access violation on the memcpy.

Since the response is invalid it seemed best to make it follow the other failed partial condition.
(transplanted from 737e28ec6b4d74f3ff915a4effc13d7b615a6a9b)
---
 doc/contributions.txt            | 1 +
 indra/newview/lltexturefetch.cpp | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/doc/contributions.txt b/doc/contributions.txt
index dabae001a38..5307c5345c7 100755
--- a/doc/contributions.txt
+++ b/doc/contributions.txt
@@ -825,6 +825,7 @@ Kitty Barnett
 	MAINT-6568
 	STORM-2149
 	MAINT-7581
+	MAINT-7081
 Kolor Fall
 Komiko Okamoto
 Korvel Noh
diff --git a/indra/newview/lltexturefetch.cpp b/indra/newview/lltexturefetch.cpp
index 1085b159769..f917faadd43 100644
--- a/indra/newview/lltexturefetch.cpp
+++ b/indra/newview/lltexturefetch.cpp
@@ -1746,7 +1746,7 @@ bool LLTextureFetchWorker::doWork(S32 param)
 				// In case of a partial response, our offset may
 				// not be trivially contiguous with the data we have.
 				// Get back into alignment.
-				if (mHttpReplyOffset > cur_size)
+				if ( (mHttpReplyOffset > cur_size) || (cur_size > mHttpReplyOffset + append_size))
 				{
 					LL_WARNS(LOG_TXT) << "Partial HTTP response produces break in image data for texture "
 									  << mID << ".  Aborting load."  << LL_ENDL;
-- 
GitLab