[Gnash-dev] #31766: YT Crash _during playback_ (Was: pre-release candidate)

[strk]

On Wed, Feb 09, 2011 at 11:27:27AM +0100, strk wrote:
> On Tue, Feb 08, 2011 at 06:56:32PM -0700, Rob Savoye wrote:
> >
> > Just cause I'm the one that makes the release, doesn't
> > mean I'm the one that has to fix all the bugs.
> 
> Agreed.
> It would be enough to review the ones assigned to you and the ones
> marked with severities from Important up.

Rob, I did go trough bug #31766, which is the one making it impossible
to use Gnash with chromium and handled to obtain a new backtrace
(attached to the bug).

Now, the backtrace points at ExternalInterface and I think I spotted
a possibly unsafe operation performed by it:

 ExternalInterface::parseInvoke(const std::string &xml);

 ExternalInterface::ExternalEventCheck
   ..
   boost::scoped_array<char> buffer(new char[bytes+1]);
   return parseInvoke(buffer.get());

The code above writes a zero one byte after the allocated amount.
Follows a short testcase (build and run with valgrind):

----8<--------------

#include <iostream>

int main()
{
 size_t bytes = 2;
 char *buffer = new char[bytes+1];
 buffer[bytes+1] = 0;
}

----8<--------------
 
I belive that ExternalInterface.cpp is code you wrote, in which case I think
you should fix that, to avoid confusion about who broke what.

--strk;

  ()   Free GIS & Flash consultant/developer
  /\   http://strk.keybit.net/services.html