add guards against buffer overflow in voxel server for edit/delete voxel packets

2025-04-16 22:30:42 +02:00 · 2013-11-05 11:12:14 -08:00 · 2013-11-05 11:12:14 -08:00 · 1c4163b010
commit 1c4163b010
parent 27ed53301b
2 changed files with 28 additions and 18 deletions
--- a/libraries/voxel-server-library/src/VoxelServerPacketProcessor.cpp
+++ b/libraries/voxel-server-library/src/VoxelServerPacketProcessor.cpp
@ -49,25 +49,31 @@ void VoxelServerPacketProcessor::processPacket(sockaddr& senderAddress, unsigned
        int atByte = numBytesPacketHeader + sizeof(itemNumber);
        unsigned char* voxelData = (unsigned char*)&packetData[atByte];
        while (atByte < packetLength) {
-            unsigned char octets = (unsigned char)*voxelData;
+            unsigned char octets = numberOfThreeBitSectionsInCode(voxelData);
            const int COLOR_SIZE_IN_BYTES = 3;
            int voxelDataSize = bytesRequiredForCodeLength(octets) + COLOR_SIZE_IN_BYTES;
            int voxelCodeSize = bytesRequiredForCodeLength(octets);

-            if (_myServer->wantShowAnimationDebug()) {
-                int red   = voxelData[voxelCodeSize + 0];
-                int green = voxelData[voxelCodeSize + 1];
-                int blue  = voxelData[voxelCodeSize + 2];
+            if (atByte + voxelDataSize <= packetLength) {
+                if (_myServer->wantShowAnimationDebug()) {
+                    int red   = voxelData[voxelCodeSize + 0];
+                    int green = voxelData[voxelCodeSize + 1];
+                    int blue  = voxelData[voxelCodeSize + 2];

-                float* vertices = firstVertexForCode(voxelData);
-                printf("inserting voxel: %f,%f,%f r=%d,g=%d,b=%d\n", vertices[0], vertices[1], vertices[2], red, green, blue);
-                delete[] vertices;
-            }
+                    float* vertices = firstVertexForCode(voxelData);
+                    printf("inserting voxel: %f,%f,%f r=%d,g=%d,b=%d\n", vertices[0], vertices[1], vertices[2], red, green, blue);
+                    delete[] vertices;
+                }
        
-            _myServer->getServerTree().readCodeColorBufferToTree(voxelData, destructive);
-            // skip to next
-            voxelData += voxelDataSize;
-            atByte += voxelDataSize;
+                _myServer->getServerTree().readCodeColorBufferToTree(voxelData, destructive);
+
+                // skip to next voxel edit record in the packet
+                voxelData += voxelDataSize;
+                atByte += voxelDataSize;
+            } else {
+                printf("WARNING! Got voxel edit record that would overflow buffer, bailing processing of packet!\n");
+                break;
+            }
        }

        // Make sure our Node and NodeList knows we've heard from this node.
--- a/libraries/voxels/src/VoxelTree.cpp
+++ b/libraries/voxels/src/VoxelTree.cpp
@ -583,11 +583,15 @@ void VoxelTree::processRemoveVoxelBitstream(unsigned char * bitstream, int buffe
    while (atByte < bufferSizeBytes) {
        int codeLength = numberOfThreeBitSectionsInCode(voxelCode);
        int voxelDataSize = bytesRequiredForCodeLength(codeLength) + SIZE_OF_COLOR_DATA;
-
-        deleteVoxelCodeFromTree(voxelCode, COLLAPSE_EMPTY_TREE);
-
-        voxelCode+=voxelDataSize;
-        atByte+=voxelDataSize;
+        
+        if (atByte + voxelDataSize <= bufferSizeBytes) {
+            deleteVoxelCodeFromTree(voxelCode, COLLAPSE_EMPTY_TREE);
+            voxelCode+=voxelDataSize;
+            atByte+=voxelDataSize;
+        } else {
+            printf("WARNING! Got remove voxel bitstream that would overflow buffer, bailing processing!\n");
+            break;
+        }
    }
 }