gnash-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnash-commit] /srv/bzr/gnash/rtmp r9582: add patch from JasonWoof after

From: rob
Subject: [Gnash-commit] /srv/bzr/gnash/rtmp r9582: add patch from JasonWoof after modifications.
Date: Wed, 13 Aug 2008 13:26:51 -0600
User-agent: Bazaar (1.5) 
------------------------------------------------------------
revno: 9582
committer: address@hidden
branch nick: rtmp
timestamp: Wed 2008-08-13 13:26:51 -0600
message:
  add patch from JasonWoof after modifications.
modified:
  libamf/amf.cpp
  libamf/sol.cpp

=== modified file 'libamf/amf.cpp'
--- a/libamf/amf.cpp    2008-08-08 04:39:08 +0000
+++ b/libamf/amf.cpp    2008-08-13 19:26:51 +0000
@@ -677,7 +677,6 @@
 {
 //    GNASH_REPORT_FUNCTION;
 
-    Element *el = new Element;
     Network::byte_t *tmpptr = in;
     boost::uint16_t length;
 
@@ -698,25 +697,25 @@
     // mostly to make valgrind shut up, as it has a tendency to
     // complain about legit code when it comes to all this byte
     // manipulation stuff.
-    char c = *(reinterpret_cast<char *>(tmpptr));
-    Element::amf0_type_e type = static_cast<Element::amf0_type_e>(c);
+    Element *el = new Element;
+    AMF amf_obj;
+    // Jump through hoops to get the type so valgrind stays happy
+//    char c = *(reinterpret_cast<char *>(tmpptr));
+    Element::amf0_type_e type = static_cast<Element::amf0_type_e>(*tmpptr);
     tmpptr++;                        // skip past the header byte
 
-    AMF amf_obj;
     switch (type) {
       case Element::NUMBER_AMF0:
       {
          double swapped = *reinterpret_cast<const double*>(tmpptr);
          swapBytes(&swapped, amf::AMF0_NUMBER_SIZE);
          el->makeNumber(swapped); 
-//       el->makeNumber(tmpptr); 
          tmpptr += AMF0_NUMBER_SIZE; // all numbers are 8 bit big endian
       }
          break;
       case Element::BOOLEAN_AMF0:
          el->makeBoolean(tmpptr);
-         tmpptr += sizeof(bool);
-//       tmpptr += sizeof(boost::uint16_t); // although a bool is one byte, 
it's stored as a short
+         tmpptr += 1;          // sizeof(bool) isn't always 1 for all 
compilers 
          break;
       case Element::STRING_AMF0:
          // get the length of the name
@@ -725,6 +724,7 @@
          if (length >= SANE_STR_SIZE) {
              log_error("%d bytes for a string is over the safe limit of %d",
                        length, SANE_STR_SIZE);
+             delete el;
              return 0;
          }
 //       log_debug(_("AMF String length is: %d"), length);
@@ -740,7 +740,7 @@
       case Element::OBJECT_AMF0:
       {
          el->makeObject();
-         while (tmpptr < (tooFar - AMF_HEADER_SIZE)) {
+         while (tmpptr < tooFar) { // FIXME: was tooFar - AMF_HEADER_SIZE)
              if (*tmpptr == TERMINATOR) {
 //               log_debug("No data associated with Property in object");
                  tmpptr++;
@@ -748,13 +748,15 @@
              }
              Element *child = amf_obj.extractProperty(tmpptr, tooFar); 
              if (child == 0) {
+                 // skip past zero length string (2 bytes), null (1 byte) and 
end object (1 byte)
+                 tmpptr += 4;
                  break;
              }
 //           child->dump();
              el->addProperty(child);
              tmpptr += amf_obj.totalsize();
          };
-         tmpptr += AMF_HEADER_SIZE;            // skip past the terminator 
bytes
+//       tmpptr += AMF_HEADER_SIZE;            // skip past the terminator 
bytes
          break;
       }
       case Element::MOVIECLIP_AMF0:
@@ -823,6 +825,7 @@
       case Element::AMF3_DATA:
       default:
          log_unimpl("%s: type %d", __PRETTY_FUNCTION__, (int)type);
+         delete el;
          return 0;
       }
     
@@ -864,31 +867,34 @@
        log_debug("No Property name, object done");
        return 0;
     }
-    if (length >= SANE_STR_SIZE) {
-       log_error("%d bytes for a string is over the safe limit of %d",
-                 length, SANE_STR_SIZE);
-       return 0;
-    }
+    
+    if (length + tmpptr > tooFar) {
+       log_error("%d bytes for a string is over the safe limit of %d. Putting 
the rest of the buffer into the string", length, SANE_STR_SIZE);
+       length = tooFar - tmpptr;
+    }    
     
     // name is just debugging help to print cleaner, and should be removed 
later
 //    log_debug(_("AMF property name length is: %d"), length);
     std::string name(reinterpret_cast<const char *>(tmpptr), length);
 //    log_debug(_("AMF property name is: %s"), name);
+    tmpptr += length;
 
     Element *el = 0;
+    char c = *(reinterpret_cast<char *>(tmpptr));
+    Element::amf0_type_e type = static_cast<Element::amf0_type_e>(c);
     // If we get a NULL object, there is no data. In that case, we only return
     // the name of the property.
-    if (*(tmpptr+length) == Element::NULL_AMF0) {
+    if (type == Element::NULL_AMF0) {
        log_debug("No data associated with Property \"%s\"", name);
        el = new Element;
        el->setName(name.c_str(), length);
-       tmpptr += length + 1;
+       tmpptr += 1;
        // Calculate the offset for the next read
     } else {
        // process the data with associated with the property.
        // Go past the data to the start of the next AMF object, which
        // should be a type byte.
-       tmpptr += length;
+//     tmpptr += length;
        el = extractAMF(tmpptr, tooFar);
        if (el) {
            el->setName(name.c_str(), length);

=== modified file 'libamf/sol.cpp'
--- a/libamf/sol.cpp    2008-05-16 02:46:11 +0000
+++ b/libamf/sol.cpp    2008-08-13 19:26:51 +0000
@@ -251,26 +251,26 @@
         size_t outsize = 0;
         switch (el->getType()) {
          case Element::BOOLEAN_AMF0:
-             outsize = el->getNameSize() + 3;
+             outsize = el->getNameSize() + 4;
              memcpy(ptr, var->reference(), outsize); 
              ptr += outsize;
              break;
          case Element::OBJECT_AMF0:
              outsize = el->getNameSize() + 5;
               assert(ptr+outsize < endPtr);
-             outsize = el->getNameSize() + 5;
+//           outsize = el->getNameSize() + 5;
              memcpy(ptr, var->reference(), outsize);
              ptr += outsize;
              *ptr++ = Element::OBJECT_END_AMF0;
-             *ptr++ = 0;       // objects are terminated too!
+//           *ptr++ = 0;       // objects are terminated too!
              break;
          case Element::NUMBER_AMF0:
-             outsize = el->getNameSize() + AMF0_NUMBER_SIZE + 2;
+             outsize = el->getNameSize() + AMF0_NUMBER_SIZE + 3;
               assert(ptr+outsize < endPtr);
              memcpy(ptr, var->reference(), outsize);
              ptr += outsize;
-             *ptr++ = 0;       // doubles are terminated too!
-             *ptr++ = 0;       // doubles are terminated too!
+//           *ptr++ = 0;       // doubles are terminated too!
+//           *ptr++ = 0;       // doubles are terminated too!
              break;
          case Element::STRING_AMF0:
              if (el->getLength() == 0) {
@@ -338,7 +338,7 @@
            _filesize = st.st_size;
            buf = new Network::byte_t[_filesize + sizeof(int)];
            ptr = buf;
-           Network::byte_t* tooFar = buf+_filesize+sizeof(int);
+           Network::byte_t* tooFar = buf+_filesize;
            
            bodysize = st.st_size - 6;
            _filespec = filespec;
@@ -399,9 +399,6 @@
                if (ptr) {
                    el = amf_obj.extractProperty(ptr, tooFar);
                    if (el != 0) {
-                       // Unlike RTMP, SOL files tack an extra
-                       // zero byte after every property, so we
-                       // want to skip past this one too.
                        ptr += amf_obj.totalsize() + 1;
                        _amfobjs.push_back(el);
                    } else {
reply via email to
[Prev in Thread] Current Thread [Next in Thread]