mirror of
https://github.com/overte-org/overte.git
synced 2025-08-08 22:16:58 +02:00
guard against heap-overflow in the event of bogus entity network data
This commit is contained in:
parent
64cb5d1b1a
commit
cfea3cba9b
1 changed files with 16 additions and 0 deletions
|
@ -686,6 +686,10 @@ int OctreePacketData::unpackDataFromBytes(const unsigned char *dataBytes, QVecto
|
||||||
uint16_t length;
|
uint16_t length;
|
||||||
memcpy(&length, dataBytes, sizeof(uint16_t));
|
memcpy(&length, dataBytes, sizeof(uint16_t));
|
||||||
dataBytes += sizeof(length);
|
dataBytes += sizeof(length);
|
||||||
|
if (length * sizeof(glm::vec3) > MAX_OCTREE_UNCOMRESSED_PACKET_SIZE) {
|
||||||
|
result.resize(0);
|
||||||
|
return sizeof(uint16_t);
|
||||||
|
}
|
||||||
result.resize(length);
|
result.resize(length);
|
||||||
memcpy(result.data(), dataBytes, length * sizeof(glm::vec3));
|
memcpy(result.data(), dataBytes, length * sizeof(glm::vec3));
|
||||||
return sizeof(uint16_t) + length * sizeof(glm::vec3);
|
return sizeof(uint16_t) + length * sizeof(glm::vec3);
|
||||||
|
@ -695,6 +699,10 @@ int OctreePacketData::unpackDataFromBytes(const unsigned char *dataBytes, QVecto
|
||||||
uint16_t length;
|
uint16_t length;
|
||||||
memcpy(&length, dataBytes, sizeof(uint16_t));
|
memcpy(&length, dataBytes, sizeof(uint16_t));
|
||||||
dataBytes += sizeof(length);
|
dataBytes += sizeof(length);
|
||||||
|
if (length * sizeof(glm::quat) > MAX_OCTREE_UNCOMRESSED_PACKET_SIZE) {
|
||||||
|
result.resize(0);
|
||||||
|
return sizeof(uint16_t);
|
||||||
|
}
|
||||||
result.resize(length);
|
result.resize(length);
|
||||||
|
|
||||||
const unsigned char *start = dataBytes;
|
const unsigned char *start = dataBytes;
|
||||||
|
@ -709,6 +717,10 @@ int OctreePacketData::unpackDataFromBytes(const unsigned char* dataBytes, QVecto
|
||||||
uint16_t length;
|
uint16_t length;
|
||||||
memcpy(&length, dataBytes, sizeof(uint16_t));
|
memcpy(&length, dataBytes, sizeof(uint16_t));
|
||||||
dataBytes += sizeof(length);
|
dataBytes += sizeof(length);
|
||||||
|
if (length * sizeof(float) > MAX_OCTREE_UNCOMRESSED_PACKET_SIZE) {
|
||||||
|
result.resize(0);
|
||||||
|
return sizeof(uint16_t);
|
||||||
|
}
|
||||||
result.resize(length);
|
result.resize(length);
|
||||||
memcpy(result.data(), dataBytes, length * sizeof(float));
|
memcpy(result.data(), dataBytes, length * sizeof(float));
|
||||||
return sizeof(uint16_t) + length * sizeof(float);
|
return sizeof(uint16_t) + length * sizeof(float);
|
||||||
|
@ -718,6 +730,10 @@ int OctreePacketData::unpackDataFromBytes(const unsigned char* dataBytes, QVecto
|
||||||
uint16_t length;
|
uint16_t length;
|
||||||
memcpy(&length, dataBytes, sizeof(uint16_t));
|
memcpy(&length, dataBytes, sizeof(uint16_t));
|
||||||
dataBytes += sizeof(length);
|
dataBytes += sizeof(length);
|
||||||
|
if (length * sizeof(bool) > MAX_OCTREE_UNCOMRESSED_PACKET_SIZE) {
|
||||||
|
result.resize(0);
|
||||||
|
return sizeof(uint16_t);
|
||||||
|
}
|
||||||
result.resize(length);
|
result.resize(length);
|
||||||
|
|
||||||
int bit = 0;
|
int bit = 0;
|
||||||
|
|
Loading…
Reference in a new issue