[Gnash-commit] [bug #42145] Use after free in getRunResources()

gnash-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnash-commit] [bug #42145] Use after free in getRunResources()

From:	Bastiaan Jacques
Subject:	[Gnash-commit] [bug #42145] Use after free in getRunResources()
Date:	Fri, 18 Apr 2014 21:52:32 +0000
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0

URL:
  <http://savannah.gnu.org/bugs/?42145>

                 Summary: Use after free in getRunResources()
                 Project: Gnash - The GNU Flash player
            Submitted by: bjacques
            Submitted on: Fri 18 Apr 2014 11:52:31 PM CEST
                Category: core
                Severity: 6 - Security
                 Release: master
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

STR: start gangsta_rap_se.swf, click play and allow the animation to run for a
few seconds. Then exit Gnash.


==15117== Invalid read of size 8
==15117==    at 0x4C9BA2D: gnash::getRunResources(gnash::as_object const&)
(as_object.cpp:1145)
==15117==    by 0x4CFA3B3: gnash::MovieClip::stopStreamSound()
(MovieClip.cpp:2102)
==15117==    by 0x4CFC2A6: gnash::MovieClip::~MovieClip() (MovieClip.cpp:527)
==15117==    by 0x4CDD89C: gnash::SWFMovie::~SWFMovie() (Movie.h:57)
==15117==    by 0x56BD1E0: gnash::GC::~GC() (GC.cpp:62)
==15117==    by 0x4CE0CFD: gnash::movie_root::~movie_root()
(movie_root.cpp:190)
==15117==    by 0x154999: gnash::Player::run(int, char**, std::string const&,
std::string const&) (Player.cpp:661)
==15117==    by 0x12E7E0: playFile(gnash::Player&, int, char**, std::string
const&) (gnash.cpp:92)
==15117==    by 0x13184E: main (bind.hpp:457)
==15117==  Address 0x23590c08 is 40 bytes inside a block of size 144 free'd
==15117==    at 0x4A07991: operator delete(void*) (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==15117==    by 0x4C9657C: gnash::as_object::~as_object() (as_object.h:174)
==15117==    by 0x56BD1E0: gnash::GC::~GC() (GC.cpp:62)
==15117==    by 0x4CE0CFD: gnash::movie_root::~movie_root()
(movie_root.cpp:190)
==15117==    by 0x154999: gnash::Player::run(int, char**, std::string const&,
std::string const&) (Player.cpp:661)
==15117==    by 0x12E7E0: playFile(gnash::Player&, int, char**, std::string
const&) (gnash.cpp:92)
==15117==    by 0x13184E: main (bind.hpp:457)


Presumably this is a destruction order issue.




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?42145>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[Gnash-commit] [bug #42145] Use after free in getRunResources(), Bastiaan Jacques <=
- [Gnash-commit] [bug #42145] Use after free in getRunResources(), Bastiaan Jacques, 2014/04/19

Prev by Date: [Gnash-commit] [bug #39989] Assertion `(_shape1.subshapes().size() == _shape2.subshapes().size()) && (_shape2.subshapes().size() == 1)' failed.
Next by Date: [Gnash-commit] buildbot failure in Gnash on rawhide-linux-i386
Previous by thread: [Gnash-commit] [SCM] Gnash branch, master, updated. release_0_8_9_final-1865-g2abc23e
Next by thread: [Gnash-commit] [bug #42145] Use after free in getRunResources()
Index(es):
- Date
- Thread