[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnash-commit] gnash ChangeLog server/stream.cpp
From: |
Benjamin Wolsey |
Subject: |
[Gnash-commit] gnash ChangeLog server/stream.cpp |
Date: |
Sun, 17 Feb 2008 08:27:20 +0000 |
CVSROOT: /sources/gnash
Module name: gnash
Changes by: Benjamin Wolsey <bwy> 08/02/17 08:27:20
Modified files:
. : ChangeLog
server : stream.cpp
Log message:
Throw parser exception if asked to read more than 32 bits, assert only
to prevent buffer overflow. There is no reason, other than that it's a
very
large number, that more than a 32-bit unsigned value should be illegal.
If
a real life movie ever does show this behaviour, an obvious error
message
is more helpful than a 'malformed SWF' log. It's an intended limitation
of the parsing code rather than a known malformation in any case.
CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/gnash/ChangeLog?cvsroot=gnash&r1=1.5675&r2=1.5676
http://cvs.savannah.gnu.org/viewcvs/gnash/server/stream.cpp?cvsroot=gnash&r1=1.46&r2=1.47
Patches:
Index: ChangeLog
===================================================================
RCS file: /sources/gnash/gnash/ChangeLog,v
retrieving revision 1.5675
retrieving revision 1.5676
diff -u -b -r1.5675 -r1.5676
--- ChangeLog 17 Feb 2008 02:04:27 -0000 1.5675
+++ ChangeLog 17 Feb 2008 08:27:19 -0000 1.5676
@@ -1,3 +1,8 @@
+2008-02-16 Benjamin Wolsey <address@hidden>
+
+ * server/stream.cpp: throw parser exception if asked to read more than
+ 32 bits, assert only to prevent buffer overflow. Fixes bug #22319.
+
2008-02-16 Rob Savoye <address@hidden>
* gui/Makefile.am: Add GLIB_CFLAGS. Install shell with
Index: server/stream.cpp
===================================================================
RCS file: /sources/gnash/gnash/server/stream.cpp,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -b -r1.46 -r1.47
--- server/stream.cpp 14 Feb 2008 17:49:12 -0000 1.46
+++ server/stream.cpp 17 Feb 2008 08:27:20 -0000 1.47
@@ -81,9 +81,16 @@
unsigned stream::read_uint(unsigned short bitcount)
{
- //assert(bitcount <= 24);
- // should be 24, check why htf_sweet.swf fails this assertion
- assert(bitcount <= 32);
+ // htf_sweet.swf fails when this is set to 24. There seems to
+ // be no reason why this should be limited to 32 other than
+ // that it is higher than a movie is likely to need.
+ if (bitcount > 32)
+ {
+ // This might overflow a uint32_t or attempt to read outside
+ // the byte cache (relies on there being only 4 bytes after
+ // possible unused bits.)
+ throw ParserException("Unexpectedly long value advertised.");
+ }
// Optimization for multibyte read
if ( bitcount > m_unused_bits )
@@ -104,6 +111,7 @@
//std::cerr << "BytesToRead: " << bytesToRead << " spareBits: "
<< spareBits << " unusedBits: " << (int)m_unused_bits << std::endl;
+ assert (bytesToRead <= 4);
byte cache[4]; // at most 4 bytes in the cache
if ( spareBits ) m_input->read_bytes(&cache, bytesToRead+1);