Mirrors/overte
3
0
Fork 0
mirror of https://github.com/overte-org/overte.git synced 2025-04-20 18:23:54 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

patch for possible static memory corruption on large edit entity messages

Browse source
This commit is contained in:
ZappoMan 2014-09-04 09:52:26 -07:00
parent cdaf59c962
commit 957991b67e
2 changed files with 16 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
libraries/entities/src/EntityEditPacketSender.cpp
View file

@ -32,7 +32,7 @@ void EntityEditPacketSender::queueEditEntityMessage(PacketType type, EntityItemI
}
// use MAX_PACKET_SIZE since it's static and guaranteed to be larger than _maxPacketSize
static unsigned char bufferOut[MAX_PACKET_SIZE];
unsigned char bufferOut[MAX_PACKET_SIZE];
int sizeOut = 0;
if (EntityItemProperties::encodeEntityEditPacket(type, modelID, properties, &bufferOut[0], _maxPacketSize, sizeOut)) {
@ -45,7 +45,7 @@ void EntityEditPacketSender::queueEraseEntityMessage(const EntityItemID& entityI
return; // bail early
}
// use MAX_PACKET_SIZE since it's static and guaranteed to be larger than _maxPacketSize
static unsigned char bufferOut[MAX_PACKET_SIZE];
unsigned char bufferOut[MAX_PACKET_SIZE];
size_t sizeOut = 0;
if (EntityItemProperties::encodeEraseEntityMessage(entityItemID, &bufferOut[0], _maxPacketSize, sizeOut)) {
queueOctreeEditMessage(PacketTypeEntityErase, bufferOut, sizeOut);

17
libraries/entities/src/EntityItemProperties.cpp
View file

@ -596,8 +596,14 @@ bool EntityItemProperties::encodeEntityEditPacket(PacketType command, EntityItem
packetData->endSubTree();
const unsigned char* finalizedData = packetData->getFinalizedData();
int finalizedSize = packetData->getFinalizedSize();
memcpy(bufferOut, finalizedData, finalizedSize);
sizeOut = finalizedSize;
if (finalizedSize <= sizeIn) {
memcpy(bufferOut, finalizedData, finalizedSize);
sizeOut = finalizedSize;
} else {
qDebug() << "ERROR - encoded edit message doesn't fit in output buffer.";
sizeOut = 0;
success = false;
}
} else {
packetData->discardSubTree();
sizeOut = 0;
@ -747,8 +753,13 @@ bool EntityItemProperties::encodeEraseEntityMessage(const EntityItemID& entityIt
unsigned char* outputBuffer, size_t maxLength, size_t& outputLength) {
unsigned char* copyAt = outputBuffer;
uint16_t numberOfIds = 1; // only one entity ID in this message
if (maxLength < sizeof(numberOfIds) + NUM_BYTES_RFC4122_UUID) {
qDebug() << "ERROR - encodeEraseEntityMessage() called with buffer that is too small!";
outputLength = 0;
return false;
}
memcpy(copyAt, &numberOfIds, sizeof(numberOfIds));
copyAt += sizeof(numberOfIds);
outputLength = sizeof(numberOfIds);