From 58b7fe5fef00f19ef360a5aca240e17679607618 Mon Sep 17 00:00:00 2001
From: Shyotl <Shyotl@gmail.com>
Date: Tue, 28 Jan 2014 16:28:03 -0600
Subject: [PATCH] Avoid potential buffer over-read in shader, overrun in
 application.

---
 .../app_settings/shaders/class1/avatar/objectSkinV.glsl       | 2 +-
 indra/newview/lldrawpoolavatar.cpp                            | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/indra/newview/app_settings/shaders/class1/avatar/objectSkinV.glsl b/indra/newview/app_settings/shaders/class1/avatar/objectSkinV.glsl
index 8eb5a977b..57129c3bd 100644
--- a/indra/newview/app_settings/shaders/class1/avatar/objectSkinV.glsl
+++ b/indra/newview/app_settings/shaders/class1/avatar/objectSkinV.glsl
@@ -34,7 +34,7 @@ mat4 getObjectSkinnedTransform()
 	vec4 w = fract(weight4);
 	vec4 index = floor(weight4);
 	
-		 index = min(index, vec4(63.0));
+		 index = min(index, vec4(51.0));
 		 index = max(index, vec4( 0.0));
 
 	float scale = 1.0/(w.x+w.y+w.z+w.w);
diff --git a/indra/newview/lldrawpoolavatar.cpp b/indra/newview/lldrawpoolavatar.cpp
index 77dbbaae2..d4962256e 100644
--- a/indra/newview/lldrawpoolavatar.cpp
+++ b/indra/newview/lldrawpoolavatar.cpp
@@ -1570,7 +1570,9 @@ void LLDrawPoolAvatar::updateRiggedFaceVertexBuffer(LLVOAvatar* avatar, LLFace*
 		LLMatrix4a mp[JOINT_COUNT];
 		LLMatrix4* mat = (LLMatrix4*) mp;
 
-		for (U32 j = 0; j < skin->mJointNames.size(); ++j)
+		U32 count = llmin((U32) skin->mJointNames.size(), (U32) JOINT_COUNT);
+
+		for (U32 j = 0; j < count; ++j)
 		{
 			LLJoint* joint = avatar->getJoint(skin->mJointNames[j]);
 			if (joint)