From a6e8e60f5051ae27cb771e0404f1d5579ab85ebb Mon Sep 17 00:00:00 2001
From: Kitty Barnett <develop@catznip.com>
Date: Tue, 19 Feb 2013 21:21:41 +0100
Subject: [PATCH] Don't overrun the message buffer extracting materials ids
 when the region isn't sending them

---
 indra/llprimitive/llprimitive.cpp | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/indra/llprimitive/llprimitive.cpp b/indra/llprimitive/llprimitive.cpp
index d28cd89a1b5..1a177f1c14f 100644
--- a/indra/llprimitive/llprimitive.cpp
+++ b/indra/llprimitive/llprimitive.cpp
@@ -1075,6 +1075,7 @@ S32 LLPrimitive::unpackTEField(U8 *cur_ptr, U8 *buffer_end, U8 *data_ptr, U8 dat
 		}
 		cur_ptr += data_size;		
 	}
+	llassert(cur_ptr <= buffer_end);
 	return (S32)(cur_ptr - start_loc);
 }
 
@@ -1328,8 +1329,15 @@ S32 LLPrimitive::unpackTEMessage(LLMessageSystem* mesgsys, char const* block_nam
 	cur_ptr += unpackTEField(cur_ptr, packed_buffer+size, (U8 *)media_flags, 1, face_count, MVT_U8);
 	cur_ptr++;
 	cur_ptr += unpackTEField(cur_ptr, packed_buffer+size, (U8 *)glow, 1, face_count, MVT_U8);
-	cur_ptr++;
-	cur_ptr += unpackTEField(cur_ptr, packed_buffer+size, (U8 *)material_data, 16, face_count, MVT_LLUUID);
+	if (cur_ptr < packed_buffer + size)
+	{
+		cur_ptr++;
+		cur_ptr += unpackTEField(cur_ptr, packed_buffer+size, (U8 *)material_data, 16, face_count, MVT_LLUUID);
+	}
+	else
+	{
+		memset(material_data, 0, sizeof(material_data));
+	}
 	
 	for (U32 i = 0; i < face_count; i++)
 	{
@@ -1429,8 +1437,15 @@ S32 LLPrimitive::unpackTEMessage(LLDataPacker &dp)
 	cur_ptr += unpackTEField(cur_ptr, packed_buffer+size, (U8 *)media_flags, 1, face_count, MVT_U8);
 	cur_ptr++;
 	cur_ptr += unpackTEField(cur_ptr, packed_buffer+size, (U8 *)glow, 1, face_count, MVT_U8);
-	cur_ptr++;
-	cur_ptr += unpackTEField(cur_ptr, packed_buffer+size, (U8 *)material_data, 16, face_count, MVT_LLUUID);
+	if (cur_ptr < packed_buffer + size)
+	{
+		cur_ptr++;
+		cur_ptr += unpackTEField(cur_ptr, packed_buffer+size, (U8 *)material_data, 16, face_count, MVT_LLUUID);
+	}
+	else
+	{
+		memset(material_data, 0, sizeof(material_data));
+	}
 
 	for (i = 0; i < face_count; i++)
 	{
-- 
GitLab