Benjamin Otte
2007-Apr-17 04:37 UTC
[Swfdec] 15 commits - libswfdec/jpeg libswfdec/swfdec_bits.c libswfdec/swfdec_edittext.c libswfdec/swfdec_font.c libswfdec/swfdec_image.c libswfdec/swfdec_root_sprite.c libswfdec/swfdec_script.c libswfdec/swfdec_shape.c libswfdec/swfdec_sprite.c
libswfdec/jpeg/jpeg.c | 3 +++ libswfdec/swfdec_bits.c | 18 ++++++++++++++++-- libswfdec/swfdec_edittext.c | 3 ++- libswfdec/swfdec_font.c | 30 ++++++++++++++++++++++++------ libswfdec/swfdec_image.c | 30 ++++++++++++++---------------- libswfdec/swfdec_root_sprite.c | 2 +- libswfdec/swfdec_script.c | 19 +++++++++---------- libswfdec/swfdec_shape.c | 11 ++++++----- libswfdec/swfdec_sprite.c | 6 ++++-- 9 files changed, 79 insertions(+), 43 deletions(-) New commits: diff-tree de1a29a1b62e30df5cb4a26fe192efd44db98bec (from 4ecf6f08ab585cbf8089373cb6535d5e3e3493fc) Author: Benjamin Otte <otte@gnome.org> Date: Tue Apr 17 13:13:48 2007 +0200 break the ExportAssets loop if no more bytes are available diff --git a/libswfdec/swfdec_root_sprite.c b/libswfdec/swfdec_root_sprite.c index 7159927..41e8b31 100644 --- a/libswfdec/swfdec_root_sprite.c +++ b/libswfdec/swfdec_root_sprite.c @@ -117,7 +117,7 @@ tag_func_export_assets (SwfdecSwfDecoder count = swfdec_bits_get_u16 (bits); SWFDEC_LOG ("exporting %u assets", count); - for (i = 0; i < count; i++) { + for (i = 0; i < count && swfdec_bits_left (bits); i++) { guint id; SwfdecCharacter *object; char *name; diff-tree 4ecf6f08ab585cbf8089373cb6535d5e3e3493fc (from 09b659302736f9b00db64a1586703de7fe8f7344) Author: Benjamin Otte <otte@gnome.org> Date: Tue Apr 17 12:40:39 2007 +0200 break out of loop if no more bits are available this avoids long erroneous loops when the number of styles in the file has been corrupted diff --git a/libswfdec/swfdec_shape.c b/libswfdec/swfdec_shape.c index 3aa5053..ac2491e 100644 --- a/libswfdec/swfdec_shape.c +++ b/libswfdec/swfdec_shape.c @@ -329,7 +329,7 @@ swfdec_shape_add_styles (SwfdecSwfDecode n_fill_styles = swfdec_bits_get_u16 (bits); } SWFDEC_LOG (" n_fill_styles %d", n_fill_styles); - for (i = 0; i < n_fill_styles; i++) { + for (i = 0; i < n_fill_styles && swfdec_bits_left (bits); i++) { SwfdecPattern *pattern; SWFDEC_LOG (" fill style %d:", i); @@ -344,7 +344,7 @@ swfdec_shape_add_styles (SwfdecSwfDecode n_line_styles = swfdec_bits_get_u16 (bits); } SWFDEC_LOG (" n_line_styles %d", n_line_styles); - for (i = 0; i < n_line_styles; i++) { + for (i = 0; i < n_line_styles && swfdec_bits_left (bits); i++) { g_ptr_array_add (shape->lines, parse_stroke (s)); } diff-tree 09b659302736f9b00db64a1586703de7fe8f7344 (from b498ba186ab9d587cc087ae9ab5952f1d5b2865a) Author: Benjamin Otte <otte@gnome.org> Date: Tue Apr 17 12:36:33 2007 +0200 it's not this code's job to syncbits diff --git a/libswfdec/swfdec_shape.c b/libswfdec/swfdec_shape.c index a81b389..3aa5053 100644 --- a/libswfdec/swfdec_shape.c +++ b/libswfdec/swfdec_shape.c @@ -338,7 +338,6 @@ swfdec_shape_add_styles (SwfdecSwfDecode g_ptr_array_add (shape->fills, pattern); } - swfdec_bits_syncbits (bits); shape->lines_offset = shape->lines->len; n_line_styles = swfdec_bits_get_u8 (bits); if (n_line_styles == 0xff) { @@ -349,7 +348,6 @@ swfdec_shape_add_styles (SwfdecSwfDecode g_ptr_array_add (shape->lines, parse_stroke (s)); } - swfdec_bits_syncbits (bits); shape->n_fill_bits = swfdec_bits_getbits (bits, 4); shape->n_line_bits = swfdec_bits_getbits (bits, 4); } diff-tree b498ba186ab9d587cc087ae9ab5952f1d5b2865a (from 45c89c3d902be858a304539165d1160e822fba52) Author: Benjamin Otte <otte@gnome.org> Date: Tue Apr 17 12:19:27 2007 +0200 avoid overflow issues when bytes is near MAXUINT diff --git a/libswfdec/swfdec_bits.c b/libswfdec/swfdec_bits.c index 8eef225..0f7e4c9 100644 --- a/libswfdec/swfdec_bits.c +++ b/libswfdec/swfdec_bits.c @@ -95,7 +95,9 @@ swfdec_bits_init_bits (SwfdecBits *bits, bits->buffer = from->buffer; bits->ptr = from->ptr; - bits->end = MIN (bits->ptr + bytes, from->end); + if (bytes > (guint) (from->end - from->ptr)) + bytes = from->end - from->ptr; + bits->end = bits->ptr + bytes; bits->idx = 0; from->ptr = bits->end; } diff-tree 45c89c3d902be858a304539165d1160e822fba52 (from 36a3f8c38831112cb93caeb3fdf5ab3214fbb859) Author: Benjamin Otte <otte@gnome.org> Date: Tue Apr 17 12:12:11 2007 +0200 movies without a rate don't have sound diff --git a/libswfdec/swfdec_sprite.c b/libswfdec/swfdec_sprite.c index f3ad17d..19c1442 100644 --- a/libswfdec/swfdec_sprite.c +++ b/libswfdec/swfdec_sprite.c @@ -562,8 +562,10 @@ swfdec_sprite_set_n_frames (SwfdecSprite sprite->frames = g_new0 (SwfdecSpriteFrame, n_frames); sprite->n_frames = n_frames; - for (i = 0; i < n_frames; i++) { - sprite->frames[i].sound_samples = 44100 * 256 / rate; + if (rate > 0) { + for (i = 0; i < n_frames; i++) { + sprite->frames[i].sound_samples = 44100 * 256 / rate; + } } SWFDEC_LOG ("n_frames = %d", sprite->n_frames); diff-tree 36a3f8c38831112cb93caeb3fdf5ab3214fbb859 (from 79da14950862c8c92669a9091edf0daf33792588) Author: Benjamin Otte <otte@gnome.org> Date: Tue Apr 17 12:11:48 2007 +0200 only convert variable names if they exist diff --git a/libswfdec/swfdec_edittext.c b/libswfdec/swfdec_edittext.c index 151feb2..e89c8f5 100644 --- a/libswfdec/swfdec_edittext.c +++ b/libswfdec/swfdec_edittext.c @@ -76,7 +76,8 @@ swfdec_edit_text_parse_variable (SwfdecE return; } /* FIXME: check the variable for valid identifiers */ - if (strchr (text->variable, '/')) { + if (text->variable && + strchr (text->variable, '/')) { char *ret = swfdec_js_slash_to_dot (text->variable); g_free (text->variable); text->variable = ret; diff-tree 79da14950862c8c92669a9091edf0daf33792588 (from 3f4fa05395690c80c19ead02027ee4beb71f9f2d) Author: Benjamin Otte <otte@gnome.org> Date: Tue Apr 17 12:07:49 2007 +0200 Fix various failures to sanely read buffers diff --git a/libswfdec/swfdec_image.c b/libswfdec/swfdec_image.c index 612b52b..6d15e27 100644 --- a/libswfdec/swfdec_image.c +++ b/libswfdec/swfdec_image.c @@ -122,9 +122,7 @@ tag_func_define_bits_jpeg (SwfdecSwfDeco } else { image->jpegtables = swfdec_buffer_ref (s->jpegtables); } - image->raw_data = swfdec_buffer_ref (bits->buffer); - - bits->ptr += bits->buffer->length - 2; + image->raw_data = swfdec_bits_get_buffer (bits, -1); return SWFDEC_STATUS_OK; } @@ -146,14 +144,14 @@ swfdec_image_jpeg_load (SwfdecImage *ima jpeg_decoder_addbits (dec, image->jpegtables->data, image->jpegtables->length); } - if (image->raw_data->data[2] != 0xff || image->raw_data->data[3] != 0xd8) { + if (image->raw_data->data[0] != 0xff || image->raw_data->data[1] != 0xd8) { SWFDEC_ERROR("not jpeg %02x %02x", - image->raw_data->data[2], image->raw_data->data[3]); + image->raw_data->data[0], image->raw_data->data[1]); jpeg_decoder_free (dec); return; } - jpeg_decoder_addbits (dec, image->raw_data->data + 2, - image->raw_data->length - 2); + jpeg_decoder_addbits (dec, image->raw_data->data, + image->raw_data->length); jpeg_decoder_parse (dec); jpeg_decoder_get_image_size (dec, &image->width, &image->height); if (image->width == 0 || image->height == 0) { @@ -184,9 +182,7 @@ tag_func_define_bits_jpeg_2 (SwfdecSwfDe return SWFDEC_STATUS_OK; image->type = SWFDEC_IMAGE_TYPE_JPEG2; - image->raw_data = swfdec_buffer_ref (bits->buffer); - - bits->ptr += bits->buffer->length - 2; + image->raw_data = swfdec_bits_get_buffer (bits, -1); return SWFDEC_STATUS_OK; } @@ -198,14 +194,14 @@ swfdec_image_jpeg2_load (SwfdecImage *im dec = jpeg_decoder_new (); - if (image->raw_data->data[2] != 0xff || image->raw_data->data[3] != 0xd8) { + if (image->raw_data->data[0] != 0xff || image->raw_data->data[1] != 0xd8) { SWFDEC_ERROR("not jpeg %02x %02x", - image->raw_data->data[2], image->raw_data->data[3]); + image->raw_data->data[0], image->raw_data->data[1]); jpeg_decoder_free (dec); return; } - jpeg_decoder_addbits (dec, image->raw_data->data + 2, - image->raw_data->length - 2); + jpeg_decoder_addbits (dec, image->raw_data->data, + image->raw_data->length); jpeg_decoder_parse (dec); jpeg_decoder_get_image_size (dec, &image->width, &image->height); if (image->width == 0 || image->height == 0) { @@ -539,6 +535,9 @@ swfdec_image_colormap_decode (SwfdecImag static gboolean swfdec_image_ensure_loaded (SwfdecImage *image) { + if (image->raw_data == NULL) + return FALSE; + if (image->data == NULL) { switch (image->type) { case SWFDEC_IMAGE_TYPE_JPEG: diff-tree 3f4fa05395690c80c19ead02027ee4beb71f9f2d (from d7461508e0d76b7eaa89cc67427f8415884d29f7) Author: Benjamin Otte <otte@gnome.org> Date: Tue Apr 17 12:07:21 2007 +0200 handle morph shape offset sanely diff --git a/libswfdec/swfdec_shape.c b/libswfdec/swfdec_shape.c index 3792582..a81b389 100644 --- a/libswfdec/swfdec_shape.c +++ b/libswfdec/swfdec_shape.c @@ -1038,7 +1038,10 @@ tag_define_morph_shape (SwfdecSwfDecoder swfdec_bits_get_rect (bits, &morph->end_extents); offset = swfdec_bits_get_u32 (bits); end_bits = *bits; - end_bits.ptr += offset; + if (swfdec_bits_skip_bytes (&end_bits, offset) != offset) { + SWFDEC_ERROR ("wrong offset in DefineMorphShape"); + return SWFDEC_STATUS_OK; + } bits->end = end_bits.ptr; swfdec_shape_add_styles (s, SWFDEC_SHAPE (morph), diff-tree d7461508e0d76b7eaa89cc67427f8415884d29f7 (from 42e6df0df9df1b028752c6afe2632008e3378bdc) Author: Benjamin Otte <otte@gnome.org> Date: Tue Apr 17 11:46:17 2007 +0200 sanely skip offsets in DefineFont2 diff --git a/libswfdec/swfdec_font.c b/libswfdec/swfdec_font.c index c626104..c0562b1 100644 --- a/libswfdec/swfdec_font.c +++ b/libswfdec/swfdec_font.c @@ -289,6 +289,7 @@ tag_func_define_font_2 (SwfdecSwfDecoder int font_descent; int font_leading; int i; + guint skip; id = swfdec_bits_get_u16 (bits); font = swfdec_swf_decoder_create_character (s, id, SWFDEC_TYPE_FONT); @@ -318,10 +319,18 @@ tag_func_define_font_2 (SwfdecSwfDecoder n_glyphs = swfdec_bits_get_u16 (bits); if (wide_offsets) { - bits->ptr += 4 * n_glyphs; + skip = 4 * n_glyphs; + if (swfdec_bits_skip_bytes (bits, skip) != skip) { + SWFDEC_ERROR ("could not skip %u bytes", skip); + return SWFDEC_STATUS_OK; + } code_table_offset = swfdec_bits_get_u32 (bits); } else { - bits->ptr += 2 * n_glyphs; + skip = 2 * n_glyphs; + if (swfdec_bits_skip_bytes (bits, skip) != skip) { + SWFDEC_ERROR ("could not skip %u bytes", skip); + return SWFDEC_STATUS_OK; + } code_table_offset = swfdec_bits_get_u16 (bits); } diff-tree 42e6df0df9df1b028752c6afe2632008e3378bdc (from f8d83577ae0fca8a750b0ff309faaf205cbe87cc) Author: Benjamin Otte <otte@gnome.org> Date: Tue Apr 17 11:35:50 2007 +0200 fix swfcdec_script_new to not touch the SwfdecBits struct directly diff --git a/libswfdec/swfdec_script.c b/libswfdec/swfdec_script.c index 5163ce7..d675207 100644 --- a/libswfdec/swfdec_script.c +++ b/libswfdec/swfdec_script.c @@ -2731,7 +2731,8 @@ SwfdecScript * swfdec_script_new (SwfdecBits *bits, const char *name, guint version) { SwfdecScript *script; - const guchar *start; + SwfdecBits org; + guint len; g_return_val_if_fail (bits != NULL, NULL); @@ -2740,8 +2741,8 @@ swfdec_script_new (SwfdecBits *bits, con return NULL; } - swfdec_bits_syncbits (bits); - start = bits->ptr; + org = *bits; + len = swfdec_bits_left (bits) / 8; script = g_new0 (SwfdecScript, 1); script->refcount = 1; script->name = g_strdup (name ? name : "Unnamed script"); @@ -2750,15 +2751,12 @@ swfdec_script_new (SwfdecBits *bits, con * DefineFunction and friends override this */ script->flags = SWFDEC_SCRIPT_SUPPRESS_ARGS; - if (!swfdec_script_foreach_internal (bits, validate_action, script)) { - /* assign a random buffer here so we have something to unref */ - script->buffer = bits->buffer; - swfdec_buffer_ref (script->buffer); + if (!swfdec_script_foreach_internal (bits, validate_action, script) || + (len -= swfdec_bits_left (bits) / 8) == 0) { swfdec_script_unref (script); return NULL; } - script->buffer = swfdec_buffer_new_subbuffer (bits->buffer, start - bits->buffer->data, - bits->ptr - start); + script->buffer = swfdec_bits_get_buffer (&org, len); return script; } @@ -2785,7 +2783,8 @@ swfdec_script_unref (SwfdecScript *scrip if (script->refcount > 0) return; - swfdec_buffer_unref (script->buffer); + if (script->buffer) + swfdec_buffer_unref (script->buffer); if (script->constant_pool) swfdec_buffer_unref (script->constant_pool); g_free (script->name); diff-tree f8d83577ae0fca8a750b0ff309faaf205cbe87cc (from 0fecc667a7f73138a1e16b12a0c9c7f4081d369c) Author: Benjamin Otte <otte@gnome.org> Date: Tue Apr 17 11:35:21 2007 +0200 handle 0 bytes of input gracefully diff --git a/libswfdec/jpeg/jpeg.c b/libswfdec/jpeg/jpeg.c index 216d8a5..228a4d8 100644 --- a/libswfdec/jpeg/jpeg.c +++ b/libswfdec/jpeg/jpeg.c @@ -780,6 +780,9 @@ jpeg_decoder_addbits (JpegDecoder * dec, { unsigned int offset; + if (len == 0) + return 0; + #if 0 { static int index = 0; diff-tree 0fecc667a7f73138a1e16b12a0c9c7f4081d369c (from 56fd58406827a35ff524eb9340d07602e819e6f2) Author: Benjamin Otte <otte@gnome.org> Date: Tue Apr 17 11:34:56 2007 +0200 clarify beahviour of swfdec_bits_get_buffer diff --git a/libswfdec/swfdec_bits.c b/libswfdec/swfdec_bits.c index 11df1ba..8eef225 100644 --- a/libswfdec/swfdec_bits.c +++ b/libswfdec/swfdec_bits.c @@ -646,7 +646,8 @@ swfdec_bits_get_rect (SwfdecBits * bits, * @len: length of buffer or -1 for maximum * * Gets the contents of the next @len bytes of @bits and buts them in a new - * subbuffer. + * subbuffer. If @len is 0 (or @len is -1 and no more data is available), this + * is considered a reading error and %NULL is returned. * * Returns: the new #SwfdecBuffer or NULL if the requested amount of data * isn't available diff-tree 56fd58406827a35ff524eb9340d07602e819e6f2 (from a490ca007d4158f6989c3b9d858e8703a0c69fbf) Author: Benjamin Otte <otte@gnome.org> Date: Tue Apr 17 11:12:46 2007 +0200 read font names sanely diff --git a/libswfdec/swfdec_font.c b/libswfdec/swfdec_font.c index 0aca1d5..c626104 100644 --- a/libswfdec/swfdec_font.c +++ b/libswfdec/swfdec_font.c @@ -93,6 +93,7 @@ swfdec_font_get_glyph (SwfdecFont * font return g_array_index (font->glyphs, SwfdecFontEntry, glyph).shape; } +#if 0 static char * convert_from_language (const char *s, SwfdecLanguage language) { @@ -120,6 +121,7 @@ convert_from_language (const char *s, Sw SWFDEC_ERROR ("given text is not in language %s", langcode); return ret; } +#endif int tag_func_define_font_info (SwfdecSwfDecoder *s, guint version) @@ -158,7 +160,6 @@ tag_func_define_font_info (SwfdecSwfDeco wide = swfdec_bits_getbit (&s->b); if (version > 1) language = swfdec_bits_get_u8 (&s->b); - font->name = convert_from_language (name, language); g_free (name); if (font->name) { SWFDEC_LOG ("Creating font description for font %d", id); @@ -308,8 +309,12 @@ tag_func_define_font_2 (SwfdecSwfDecoder SWFDEC_DEBUG("langcode %d", langcode); font_name_len = swfdec_bits_get_u8 (bits); - //font_name = - bits->ptr += font_name_len; + font->name = swfdec_bits_get_string_length (bits, font_name_len); + if (font->name == NULL) { + SWFDEC_ERROR ("error reading font name"); + } else { + SWFDEC_LOG (" font name = %s", font->name); + } n_glyphs = swfdec_bits_get_u16 (bits); if (wide_offsets) { @@ -397,7 +402,11 @@ tag_func_define_font_3 (SwfdecSwfDecoder SWFDEC_LOG (" language = %u", (guint) language); len = swfdec_bits_get_u8 (&s->b); font->name = swfdec_bits_get_string_length (&s->b, len); - SWFDEC_LOG (" name = %s", font->name); + if (font->name == NULL) { + SWFDEC_ERROR ("error reading font name"); + } else { + SWFDEC_LOG (" font name = %s", font->name); + } n_glyphs = swfdec_bits_get_u16 (&s->b); SWFDEC_LOG (" n_glyphs = %u", n_glyphs); diff-tree a490ca007d4158f6989c3b9d858e8703a0c69fbf (from 26c7b2f2b16edc2c7f9f044deee8fbc06743fee7) Author: Benjamin Otte <otte@gnome.org> Date: Tue Apr 17 11:12:34 2007 +0200 use swfdec_bits_get_buffer instead of manually fuzzing with the SwfdecBits structure diff --git a/libswfdec/swfdec_image.c b/libswfdec/swfdec_image.c index 69a3f17..612b52b 100644 --- a/libswfdec/swfdec_image.c +++ b/libswfdec/swfdec_image.c @@ -96,8 +96,7 @@ swfdec_image_jpegtables (SwfdecSwfDecode SWFDEC_DEBUG ("swfdec_image_jpegtables"); - s->jpegtables = swfdec_buffer_ref (bits->buffer); - bits->ptr += bits->buffer->length; + s->jpegtables = swfdec_bits_get_buffer (bits, -1); return SWFDEC_STATUS_OK; } diff-tree 26c7b2f2b16edc2c7f9f044deee8fbc06743fee7 (from 04113e5a83386f59140f248a817f7bf8d6728ddb) Author: Benjamin Otte <otte@gnome.org> Date: Tue Apr 17 11:00:41 2007 +0200 make swfdec_bits_get_string_length read 0-byte strings diff --git a/libswfdec/swfdec_bits.c b/libswfdec/swfdec_bits.c index 6e25cf7..11df1ba 100644 --- a/libswfdec/swfdec_bits.c +++ b/libswfdec/swfdec_bits.c @@ -521,11 +521,22 @@ swfdec_bits_skip_bytes (SwfdecBits *bits return n_bytes; } +/** + * swfdec_bits_get_string_length: + * @bits: a #SwfdecBits + * @len: number of bytes to read + * + * Reads the next @len bytes into a string and validates it as UTF-8. + * + * Returns: a new string or %NULL on error + **/ char * swfdec_bits_get_string_length (SwfdecBits * bits, guint len) { char *ret; + if (len == 0) + return g_strdup (""); SWFDEC_BYTES_CHECK (bits, len); ret = g_strndup ((char *) bits->ptr, len);
Seemingly Similar Threads
- Branch 'as' - 17 commits - libswfdec/jpeg libswfdec/swfdec_bits.c libswfdec/swfdec_font.c libswfdec/swfdec_image.c libswfdec/swfdec_root_sprite.c libswfdec/swfdec_script.c libswfdec/swfdec_shape.c libswfdec/swfdec_sound.c libswfdec/swfdec_sprite.c
- 7 commits - libswfdec/swfdec_codec_gst.c libswfdec/swfdec_font.c libswfdec/swfdec_js_movie.c libswfdec/swfdec_morph_movie.c libswfdec/swfdec_pattern.c libswfdec/swfdec_pattern.h libswfdec/swfdec_shape.c libswfdec/swfdec_shape.h libswfdec/swfdec_sprite.c
- libswfdec-gtk/swfdec_playback_alsa.c libswfdec/swfdec_audio_event.h libswfdec/swfdec_audio_flv.h libswfdec/swfdec_audio_stream.h libswfdec/swfdec_bits.c libswfdec/swfdec_bits.h libswfdec/swfdec_buffer.c libswfdec/swfdec_buffer.h libswfdec/swfdec_cache.c
- Branch 'as' - 5 commits - libswfdec/swfdec_as_native_function.c libswfdec/swfdec_edittext.c libswfdec/swfdec_edittext.h libswfdec/swfdec_font.c libswfdec/swfdec_font.h libswfdec/swfdec_image.c libswfdec/swfdec_image.h libswfdec/swfdec_morphshape.h
- 3 commits - libswfdec/swfdec_bits.c libswfdec/swfdec_shape.c libswfdec/swfdec_tag.c