Merge pull request #1180 from ZappoMan/bugfixes

add guards against buffer overflow in voxel server for edit/delete voxel packets

libraries/voxel-server-library/src/VoxelServerPacketProcessor.cpp

@@ -49,25 +49,31 @@ void VoxelServerPacketProcessor::processPacket(sockaddr& senderAddress, unsigned
         int atByte = numBytesPacketHeader + sizeof(itemNumber);
         unsigned char* voxelData = (unsigned char*)&packetData[atByte];
         while (atByte < packetLength) {
-            unsigned char octets = (unsigned char)*voxelData;
+            unsigned char octets = numberOfThreeBitSectionsInCode(voxelData);
             const int COLOR_SIZE_IN_BYTES = 3;
             int voxelDataSize = bytesRequiredForCodeLength(octets) + COLOR_SIZE_IN_BYTES;
             int voxelCodeSize = bytesRequiredForCodeLength(octets);
 
-            if (_myServer->wantShowAnimationDebug()) {
+            if (atByte + voxelDataSize <= packetLength) {
-                int red   = voxelData[voxelCodeSize + 0];
+                if (_myServer->wantShowAnimationDebug()) {
-                int green = voxelData[voxelCodeSize + 1];
+                    int red   = voxelData[voxelCodeSize + RED_INDEX];
-                int blue  = voxelData[voxelCodeSize + 2];
+                    int green = voxelData[voxelCodeSize + GREEN_INDEX];
+                    int blue  = voxelData[voxelCodeSize + BLUE_INDEX];
 
-                float* vertices = firstVertexForCode(voxelData);
+                    float* vertices = firstVertexForCode(voxelData);
-                printf("inserting voxel: %f,%f,%f r=%d,g=%d,b=%d\n", vertices[0], vertices[1], vertices[2], red, green, blue);
+                    printf("inserting voxel: %f,%f,%f r=%d,g=%d,b=%d\n", vertices[0], vertices[1], vertices[2], red, green, blue);
-                delete[] vertices;
+                    delete[] vertices;
-            }
+                }
         
-            _myServer->getServerTree().readCodeColorBufferToTree(voxelData, destructive);
+                _myServer->getServerTree().readCodeColorBufferToTree(voxelData, destructive);
-            // skip to next
+
-            voxelData += voxelDataSize;
+                // skip to next voxel edit record in the packet
-            atByte += voxelDataSize;
+                voxelData += voxelDataSize;
+                atByte += voxelDataSize;
+            } else {
+                printf("WARNING! Got voxel edit record that would overflow buffer, bailing processing of packet!\n");
+                break;
+            }
         }
 
         // Make sure our Node and NodeList knows we've heard from this node.

libraries/voxels/src/VoxelTree.cpp

@@ -583,11 +583,15 @@ void VoxelTree::processRemoveVoxelBitstream(unsigned char * bitstream, int buffe
     while (atByte < bufferSizeBytes) {
         int codeLength = numberOfThreeBitSectionsInCode(voxelCode);
         int voxelDataSize = bytesRequiredForCodeLength(codeLength) + SIZE_OF_COLOR_DATA;
-
+        
-        deleteVoxelCodeFromTree(voxelCode, COLLAPSE_EMPTY_TREE);
+        if (atByte + voxelDataSize <= bufferSizeBytes) {
-
+            deleteVoxelCodeFromTree(voxelCode, COLLAPSE_EMPTY_TREE);
-        voxelCode+=voxelDataSize;
+            voxelCode += voxelDataSize;
-        atByte+=voxelDataSize;
+            atByte += voxelDataSize;
+        } else {
+            printf("WARNING! Got remove voxel bitstream that would overflow buffer, bailing processing!\n");
+            break;
+        }
     }
 }