gnash-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnash-commit] gnash ChangeLog server/stream.cpp

From: Benjamin Wolsey
Subject: [Gnash-commit] gnash ChangeLog server/stream.cpp
Date: Sun, 17 Feb 2008 08:27:20 +0000 
CVSROOT:        /sources/gnash
Module name:    gnash
Changes by:     Benjamin Wolsey <bwy>   08/02/17 08:27:20

Modified files:
        .              : ChangeLog 
        server         : stream.cpp 

Log message:
        Throw parser exception if asked to read more than 32 bits, assert only
        to prevent buffer overflow. There is no reason, other than that it's a 
very
        large number, that more than a 32-bit unsigned value should be illegal. 
If 
        a real life movie ever does show this behaviour, an obvious error 
message
        is more helpful than a 'malformed SWF' log. It's an intended limitation
        of the parsing code rather than a known malformation in any case.

CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/gnash/ChangeLog?cvsroot=gnash&r1=1.5675&r2=1.5676
http://cvs.savannah.gnu.org/viewcvs/gnash/server/stream.cpp?cvsroot=gnash&r1=1.46&r2=1.47

Patches:
Index: ChangeLog
===================================================================
RCS file: /sources/gnash/gnash/ChangeLog,v
retrieving revision 1.5675
retrieving revision 1.5676
diff -u -b -r1.5675 -r1.5676
--- ChangeLog   17 Feb 2008 02:04:27 -0000      1.5675
+++ ChangeLog   17 Feb 2008 08:27:19 -0000      1.5676
@@ -1,3 +1,8 @@
+2008-02-16 Benjamin Wolsey <address@hidden>
+
+       * server/stream.cpp: throw parser exception if asked to read more than
+         32 bits, assert only to prevent buffer overflow. Fixes bug #22319.
+
 2008-02-16  Rob Savoye  <address@hidden>
 
        * gui/Makefile.am: Add GLIB_CFLAGS. Install shell with

Index: server/stream.cpp
===================================================================
RCS file: /sources/gnash/gnash/server/stream.cpp,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -b -r1.46 -r1.47
--- server/stream.cpp   14 Feb 2008 17:49:12 -0000      1.46
+++ server/stream.cpp   17 Feb 2008 08:27:20 -0000      1.47
@@ -81,9 +81,16 @@
 
 unsigned stream::read_uint(unsigned short bitcount)
 {
-       //assert(bitcount <= 24);
-       // should be 24, check why htf_sweet.swf fails this assertion
-       assert(bitcount <= 32);
+       // htf_sweet.swf fails when this is set to 24. There seems to
+       // be no reason why this should be limited to 32 other than
+       // that it is higher than a movie is likely to need.
+       if (bitcount > 32)
+       {
+           // This might overflow a uint32_t or attempt to read outside
+           // the byte cache (relies on there being only 4 bytes after
+        // possible unused bits.)
+           throw ParserException("Unexpectedly long value advertised.");
+       }
 
        // Optimization for multibyte read
        if ( bitcount > m_unused_bits )
@@ -104,6 +111,7 @@
 
                //std::cerr << "BytesToRead: " << bytesToRead << " spareBits: " 
<< spareBits << " unusedBits: " << (int)m_unused_bits << std::endl;
 
+        assert (bytesToRead <= 4);
                byte cache[4]; // at most 4 bytes in the cache
 
                if ( spareBits ) m_input->read_bytes(&cache, bytesToRead+1);
reply via email to
[Prev in Thread] Current Thread [Next in Thread]