[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnash-commit] gnash ChangeLog server/vm/ASHandlers.cpp
From: |
Sandro Santilli |
Subject: |
[Gnash-commit] gnash ChangeLog server/vm/ASHandlers.cpp |
Date: |
Mon, 08 Jan 2007 14:26:34 +0000 |
CVSROOT: /sources/gnash
Module name: gnash
Changes by: Sandro Santilli <strk> 07/01/08 14:26:34
Modified files:
. : ChangeLog
server/vm : ASHandlers.cpp
Log message:
* server/vm/ASHandlers.cpp (ActionDefineFunction2):
check consistency of code_size, handling bogus SWF.
CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/gnash/ChangeLog?cvsroot=gnash&r1=1.2052&r2=1.2053
http://cvs.savannah.gnu.org/viewcvs/gnash/server/vm/ASHandlers.cpp?cvsroot=gnash&r1=1.24&r2=1.25
Patches:
Index: ChangeLog
===================================================================
RCS file: /sources/gnash/gnash/ChangeLog,v
retrieving revision 1.2052
retrieving revision 1.2053
diff -u -b -r1.2052 -r1.2053
--- ChangeLog 8 Jan 2007 12:27:14 -0000 1.2052
+++ ChangeLog 8 Jan 2007 14:26:33 -0000 1.2053
@@ -1,5 +1,10 @@
2007-01-08 Sandro Santilli <address@hidden>
+ * server/vm/ASHandlers.cpp (ActionDefineFunction2):
+ check consistency of code_size, handling bogus SWF.
+
+2007-01-08 Sandro Santilli <address@hidden>
+
* testsuite/actionscript.all/Inheritance.as: added a couple more
tests to the 'extends' section, curtesy of Zou Lunkai.
* testsuite/actionscript.all/Function.as: added test for 'this'
Index: server/vm/ASHandlers.cpp
===================================================================
RCS file: /sources/gnash/gnash/server/vm/ASHandlers.cpp,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -b -r1.24 -r1.25
--- server/vm/ASHandlers.cpp 6 Jan 2007 00:23:31 -0000 1.24
+++ server/vm/ASHandlers.cpp 8 Jan 2007 14:26:34 -0000 1.25
@@ -16,7 +16,7 @@
//
-/* $Id: ASHandlers.cpp,v 1.24 2007/01/06 00:23:31 strk Exp $ */
+/* $Id: ASHandlers.cpp,v 1.25 2007/01/08 14:26:34 strk Exp $ */
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -2986,8 +2986,24 @@
}
// Get the length of the actual function code.
- int16_t code_size = code.read_int16(i);
- assert( code_size >= 0 );
+ uint16_t code_size = code.read_int16(i);
+
+ // Check code_size value consistency
+ size_t actionbuf_size = thread.code.size();
+ if ( thread.next_pc+code_size > actionbuf_size )
+ {
+ IF_VERBOSE_MALFORMED_SWF(
+ log_warning("Malformed SWF: function2 code len (%u) "
+ "overflows DOACTION tag boundaries "
+ "(DOACTION tag len=%u, "
+ "function2 code offset=%u). "
+ "Forcing code len to eat the whole buffer "
+ "(would this work?).",
+ code_size, actionbuf_size, thread.next_pc);
+ );
+ code_size = actionbuf_size-thread.next_pc;
+ }
+
i += 2;
func->set_length(code_size);
- [Gnash-commit] gnash ChangeLog server/vm/ASHandlers.cpp,
Sandro Santilli <=