[Gnash-dev] Crash bug with possible fix

[dolphinling]

I have a file at http://dolphinling.net/gnash/5.swf that crashes gnash. The file 
was reduced using swftools to the minimum needed to crash from 
http://images.neopets.com/faerieland/wheel_v1.swf .

When it crashes it prints the following:
gnash: edit_text_character.cpp:849: void 
gnash::edit_text_character::registerTextVariable(const std::string&): Assertion 
`dynamic_cast<sprite_instance*>(target)' failed.
Aborted

Having run through a debugger, it looks like target is null at that point, and 
as_environment.cpp:find_target() can indeed return null in at least two ways. So 
it looks like casting null to a sprite_instance* doesn't work.

The funny thing is, target is non-null before that, and if I comment out the 
line setting it null, it doesn't crash.

I don't understand all the code, so I don't know if the correct fix is to make 
find_target() not return null in this case, to null check before setting target, 
or to remove that line entirely, but null checking seems to work for me, so 
here's a patch for it.


--
dolphinling
<http://dolphinling.net/>

Index: edit_text_character.cpp
===================================================================
RCS file: /sources/gnash/gnash/server/edit_text_character.cpp,v
retrieving revision 1.25
diff -u -r1.25 edit_text_character.cpp
--- edit_text_character.cpp     6 Nov 2006 10:51:47 -0000       1.25
+++ edit_text_character.cpp     13 Nov 2006 04:28:34 -0000
@@ -840,7 +840,11 @@
        {
                // find target for the path component
                // we use our parent's environment for this
-               target = env.find_target(path);
+               // casting null to a sprite_instance* fails, so don't do that
+               if ( env.find_target(path) != NULL )
+               {
+                       target = env.find_target(path);
+               }
 
                // update varname (with path component stripped)
                varname = var.c_str();