[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnash-commit] gnash ChangeLog server/swf/ASHandlers.cpp [release_0_7_2]
|
From: |
Sandro Santilli |
|
Subject: |
[Gnash-commit] gnash ChangeLog server/swf/ASHandlers.cpp [release_0_7_2] |
|
Date: |
Sun, 05 Nov 2006 12:03:50 +0000 |
CVSROOT: /sources/gnash
Module name: gnash
Branch: release_0_7_2
Changes by: Sandro Santilli <strk> 06/11/05 12:03:50
Modified files:
. : ChangeLog
server/swf : ASHandlers.cpp
Log message:
* server/swf/ASHandlers.cpp (ActionSubstring): handle
out of range base adn negative or invalid size (overflow
input length when added to base)
CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/gnash/ChangeLog?cvsroot=gnash&only_with_tag=release_0_7_2&r1=1.1412.2.83&r2=1.1412.2.84
http://cvs.savannah.gnu.org/viewcvs/gnash/server/swf/ASHandlers.cpp?cvsroot=gnash&only_with_tag=release_0_7_2&r1=1.84.2.2&r2=1.84.2.3
Patches:
Index: ChangeLog
===================================================================
RCS file: /sources/gnash/gnash/ChangeLog,v
retrieving revision 1.1412.2.83
retrieving revision 1.1412.2.84
diff -u -b -r1.1412.2.83 -r1.1412.2.84
--- ChangeLog 5 Nov 2006 11:58:21 -0000 1.1412.2.83
+++ ChangeLog 5 Nov 2006 12:03:50 -0000 1.1412.2.84
@@ -1,7 +1,9 @@
2006-11-05 Sandro Santilli <address@hidden>
* server/swf/ASHandlers.cpp (ActionSubstring): early
- return if input string is undefined or null; attempt
+ return if input string is undefined or null, base
+ is out of range, size is negative or invalid (overflow
+ input length when added to base); attempt
to support negative base args (untested: ming unable
to output such opcode). See bug #18204.
Index: server/swf/ASHandlers.cpp
===================================================================
RCS file: /sources/gnash/gnash/server/swf/ASHandlers.cpp,v
retrieving revision 1.84.2.2
retrieving revision 1.84.2.3
diff -u -b -r1.84.2.2 -r1.84.2.3
--- server/swf/ASHandlers.cpp 5 Nov 2006 11:28:03 -0000 1.84.2.2
+++ server/swf/ASHandlers.cpp 5 Nov 2006 12:03:50 -0000 1.84.2.3
@@ -16,7 +16,7 @@
//
-/* $Id: ASHandlers.cpp,v 1.84.2.2 2006/11/05 11:28:03 strk Exp $ */
+/* $Id: ASHandlers.cpp,v 1.84.2.3 2006/11/05 12:03:50 strk Exp $ */
#ifdef HAVE_CONFIG_H
#include "config.h"
@@ -903,29 +903,58 @@
}
int size = int(size_val.to_number());
+ if ( size < 0 )
+ {
+ log_warning("Negative size passed to ActionSubString, "
+ "returning undefined");
+ env.drop(2);
+ env.top(0).set_undefined();
+ return;
+ }
+
int base = int(base_val.to_number());
int version = env.get_version();
const tu_string& str = string_val.to_tu_string_versioned(version);
+ // TODO: if 'base' or 'size' do not evaluate to numbers return
+ // the empty string (how do we check if they evaluate ??)
+
// negative base refer to index from end
// -1 is *last* character, otherwise
// they are 1-based index from start
if ( base < 0 ) base += str.length();
else base = base-1;
- // TODO: if 'base' or 'size' do not evaluate to numbers return
- // the empty string (how do we check if they evaluate ??)
+ if ( base < 0 || base >= str.length() )
+ {
+ log_warning("Invalid base passed to ActionSubString, "
+ "returning undefined");
+ env.drop(2);
+ env.top(0).set_undefined();
+ return;
+ }
+
+ if ( base+size > str.length() )
+ {
+ log_warning("size+based go beyond input string in ActionSubString, "
+ "returning undefined");
+ env.drop(2);
+ env.top(0).set_undefined();
+ return;
+ }
- assert(base >= 0);
+ assert(base >= 0);
+ assert(base < str.length() );
+ assert(size >= 0);
//log_msg("string: %s, size: %d, base: %d", str.c_str(), size, base);
// Keep base within range.
- base = iclamp(base, 0, str.length());
+ //base = iclamp(base, 0, str.length());
// Truncate if necessary.
- size = imin(str.length() - base, size);
+ //size = imin(str.length() - base, size);
// TODO: unsafe: use std::string::substr instead !
tu_string new_string = str.c_str() + base;