[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnash-commit] /srv/bzr/gnash/trunk r11809: Fix memory corruption when p
|
From: |
Benjamin Wolsey |
|
Subject: |
[Gnash-commit] /srv/bzr/gnash/trunk r11809: Fix memory corruption when passing bogus values to the renderer. Test |
|
Date: |
Tue, 26 Jan 2010 15:09:30 +0100 |
|
User-agent: |
Bazaar (2.0.2) |
------------------------------------------------------------
revno: 11809 [merge]
committer: Benjamin Wolsey <address@hidden>
branch nick: trunk
timestamp: Tue 2010-01-26 15:09:30 +0100
message:
Fix memory corruption when passing bogus values to the renderer. Test
what we're supposed to to do prevent it and implement.
modified:
libcore/asobj/flash/display/MovieClip_as.cpp
testsuite/misc-ming.all/DrawingApiTest.as
testsuite/misc-ming.all/DrawingApiTestRunner.cpp
=== modified file 'libcore/asobj/flash/display/MovieClip_as.cpp'
--- a/libcore/asobj/flash/display/MovieClip_as.cpp 2010-01-25 18:52:20
+0000
+++ b/libcore/asobj/flash/display/MovieClip_as.cpp 2010-01-26 13:29:50
+0000
@@ -2077,9 +2077,28 @@
clamp<double>(alpVal.to_number(), 0, 100) : 0;
const boost::uint8_t alp = 0xff * (a / 100);
- as_value ratVal = ratios->getMember(key);
+ // Ratio is the range 0..255, but a ratio may never be smaller than
+ // the previous value. The pp adjusts it to be greater than the
+ // last value if it is smaller. But we must be careful not to exceed
+ // 0xff.
+
+ // From looking it looks like the minimum adjustment is 2. Even
+ // steps of 1 appear to be adjusted.
+ const int step = 2;
+ const as_value& ratVal = ratios->getMember(key);
+ const boost::uint32_t minRatio =
+ gradients.empty() ? 0 :
+ std::min<boost::uint32_t>(gradients[i - 1].m_ratio + 2, 0xff);
+
boost::uint8_t rat = ratVal.is_number() ?
- clamp<int>(toInt(ratVal), 0, 255) : 0;
+ clamp<boost::uint32_t>(toInt(ratVal), minRatio, 0xff) : minRatio;
+
+ // The renderer may expect successively larger ratios; failure to
+ // do this can lead to memory errors.
+ if (!gradients.empty()) {
+ assert((rat != 0xff && rat > gradients[i - 1].m_ratio) ||
+ (rat >= gradients[i - 1].m_ratio));
+ }
rgba color;
color.parseRGB(col);
=== modified file 'testsuite/misc-ming.all/DrawingApiTest.as'
--- a/testsuite/misc-ming.all/DrawingApiTest.as 2010-01-20 09:52:21 +0000
+++ b/testsuite/misc-ming.all/DrawingApiTest.as 2010-01-26 13:40:21 +0000
@@ -887,6 +887,19 @@
beginGradientFill(fillType, colors, alphas, ratios, matrix);
draw100x100Box(x, y, grad);
+ y += 100;
+ x = 0;
+
+ // Shape 13
+
+ // Check that ratios are adjusted if they do not get successively larger.
+ fillType = "linear";
+ colors = [0x0000ff, 0xffffff, 0x00ff00];
+ alphas = [100, 100, 100];
+ ratios = [0, 0x10, 0x05];
+ matrix.createGradientBox(90, 90, 0, x, y);
+ beginGradientFill(fillType, colors, alphas, ratios, matrix);
+ draw100x100Box(x, y, grad);
_visible = false;
=== modified file 'testsuite/misc-ming.all/DrawingApiTestRunner.cpp'
--- a/testsuite/misc-ming.all/DrawingApiTestRunner.cpp 2010-01-20 10:35:43
+0000
+++ b/testsuite/misc-ming.all/DrawingApiTestRunner.cpp 2010-01-26 13:40:21
+0000
@@ -997,6 +997,13 @@
check_pixel(x + 90 - 2, y + 90 - 2, 2, yellow, 2);
check_pixel(x + 45, y + 45, 2, blue, 2);
+ // Shape 13
+ y += 100;
+ x = 0;
+ check_pixel(x + 7, y + 2, 2, green, 2);
+ check_pixel(x + 7, y + 90 - 2, 2, green, 2);
+ check_pixel(x + 90 - 2, y + 2, 2, green, 2);
+ check_pixel(x + 90 - 2, y + 90 - 2, 2, green, 2);
//----------------------------------------------------------
// TODO: check startDrag/stopDrag on the hit detector
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Gnash-commit] /srv/bzr/gnash/trunk r11809: Fix memory corruption when passing bogus values to the renderer. Test,
Benjamin Wolsey <=