From e7e617f42351876e3d003f885e89d19a02ab6f48 Mon Sep 17 00:00:00 2001
From: "Graham Madarasz (Graham)" <graham@lindenlab.com>
Date: Mon, 4 Mar 2013 11:10:10 -0800
Subject: [PATCH] For MAINT-2303 Fix potential stack smash from well-crafted
 meshes

---
 indra/newview/llvovolume.cpp | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/indra/newview/llvovolume.cpp b/indra/newview/llvovolume.cpp
index c0f80cf8556..c7d317c5268 100644
--- a/indra/newview/llvovolume.cpp
+++ b/indra/newview/llvovolume.cpp
@@ -3839,7 +3839,8 @@ void LLRiggedVolume::update(const LLMeshSkinInfo* skin, LLVOAvatar* avatar, cons
 	LLMatrix4a mp[64];
 	LLMatrix4* mat = (LLMatrix4*) mp;
 	
-	for (U32 j = 0; j < skin->mJointNames.size(); ++j)
+	U32 maxJoints = llmin(skin->mJointNames.size(), 64);
+	for (U32 j = 0; j < maxJoints; ++j)
 	{
 		LLJoint* joint = avatar->getJoint(skin->mJointNames[j]);
 		if (joint)
@@ -3894,8 +3895,11 @@ void LLRiggedVolume::update(const LLMeshSkinInfo* skin, LLVOAvatar* avatar, cons
 						F32 w = wght[k];
 
 						LLMatrix4a src;
-						src.setMul(mp[idx[k]], w);
-
+						// Insure ref'd bone is in our clamped array of mats
+						llassert(idx[k] < 64);
+						// don't read garbage off the stack in release
+						if (idx[k] < 64)
+							src.setMul(mp[idx[k]], w);
 						final_mat.add(src);
 					}
 
-- 
GitLab