CVSROOT: /sources/gnash
Module name: gnash
Changes by: Sandro Santilli <strk> 08/01/28 15:16:52
Modified files:
. : ChangeLog
server : cxform.cpp font.cpp matrix.cpp rect.cpp
stream.cpp stream.h styles.cpp
server/parser : filter_factory.cpp
server/swf : StartSoundTag.cpp
Log message:
Make parser more robust.
CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/gnash/ChangeLog?cvsroot=gnash&r1=1.5508&r2=1.5509
http://cvs.savannah.gnu.org/viewcvs/gnash/server/cxform.cpp?cvsroot=gnash&r1=1.9&r2=1.10
http://cvs.savannah.gnu.org/viewcvs/gnash/server/font.cpp?cvsroot=gnash&r1=1.55&r2=1.56
http://cvs.savannah.gnu.org/viewcvs/gnash/server/matrix.cpp?cvsroot=gnash&r1=1.23&r2=1.24
http://cvs.savannah.gnu.org/viewcvs/gnash/server/rect.cpp?cvsroot=gnash&r1=1.16&r2=1.17
http://cvs.savannah.gnu.org/viewcvs/gnash/server/stream.cpp?cvsroot=gnash&r1=1.42&r2=1.43
http://cvs.savannah.gnu.org/viewcvs/gnash/server/stream.h?cvsroot=gnash&r1=1.39&r2=1.40
http://cvs.savannah.gnu.org/viewcvs/gnash/server/styles.cpp?cvsroot=gnash&r1=1.36&r2=1.37
http://cvs.savannah.gnu.org/viewcvs/gnash/server/parser/filter_factory.cpp?cvsroot=gnash&r1=1.8&r2=1.9
http://cvs.savannah.gnu.org/viewcvs/gnash/server/swf/StartSoundTag.cpp?cvsroot=gnash&r1=1.7&r2=1.8
Patches:
Index: ChangeLog
===================================================================
RCS file: /sources/gnash/gnash/ChangeLog,v
retrieving revision 1.5508
retrieving revision 1.5509
diff -u -b -r1.5508 -r1.5509
--- ChangeLog 28 Jan 2008 13:58:25 -0000 1.5508
+++ ChangeLog 28 Jan 2008 15:16:49 -0000 1.5509
@@ -1,3 +1,12 @@
+2008-01-28 Sandro Santilli <[EMAIL PROTECTED]>
+
+ * server/stream.{cpp,h}: fix comments about get_position and
+ ensureBytes, add an ensureBits, make string reading functions
+ fail safe.
+ * server/: cxform.cpp, font.cpp, matrix.cpp, rect.cpp,
+ styles.cpp, parser/filter_factory.cpp, swf/StartSoundTag.cpp:
+ Robustness fixes.
+
2008-01-28 Benjamin Wolsey <[EMAIL PROTECTED]>
* pythonmodule/gnashpython.h: config.h -> gnashconfig.h.
Index: server/cxform.cpp
===================================================================
RCS file: /sources/gnash/gnash/server/cxform.cpp,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -b -r1.9 -r1.10
--- server/cxform.cpp 21 Jan 2008 20:55:49 -0000 1.9
+++ server/cxform.cpp 28 Jan 2008 15:16:50 -0000 1.10
@@ -16,7 +16,7 @@
// Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
//
-// $Id: cxform.cpp,v 1.9 2008/01/21 20:55:49 rsavoye Exp $
+// $Id: cxform.cpp,v 1.10 2008/01/28 15:16:50 strk Exp $
//
#ifdef HAVE_CONFIG_H
@@ -88,10 +88,14 @@
{
in.align();
+ in.ensureBits(6);
bool has_add = in.read_bit();
bool has_mult = in.read_bit();
int nbits = in.read_uint(4);
+ int reads = has_mult + has_add; // 0, 1 or 2
+ if ( reads ) in.ensureBits(nbits*reads*3);
+
if (has_mult) {
m_[0][0] = in.read_sint(nbits) / 255.0f;
m_[1][0] = in.read_sint(nbits) / 255.0f;
@@ -116,10 +120,14 @@
{
in.align();
+ in.ensureBits(6);
bool has_add = in.read_bit();
bool has_mult = in.read_bit();
int nbits = in.read_uint(4);
+ int reads = has_mult + has_add; // 0, 1 or 2
+ if ( reads ) in.ensureBits(nbits*reads*4);
+
if (has_mult) {
m_[0][0] = in.read_sint(nbits) / 256.0f;
m_[1][0] = in.read_sint(nbits) / 256.0f;
Index: server/font.cpp
===================================================================
RCS file: /sources/gnash/gnash/server/font.cpp,v
retrieving revision 1.55
retrieving revision 1.56
diff -u -b -r1.55 -r1.56
--- server/font.cpp 21 Jan 2008 20:55:50 -0000 1.55
+++ server/font.cpp 28 Jan 2008 15:16:50 -0000 1.56
@@ -17,7 +17,7 @@
// Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
//
-/* $Id: font.cpp,v 1.55 2008/01/21 20:55:50 rsavoye Exp $ */
+/* $Id: font.cpp,v 1.56 2008/01/28 15:16:50 strk Exp $ */
// Based on the public domain work of Thatcher Ulrich <[EMAIL PROTECTED]> 2003
@@ -162,6 +162,7 @@
// are measured from the start of the
// offset table.
std::vector<unsigned> offsets;
+ in->ensureBytes(2);
offsets.push_back(in->read_u16());
IF_VERBOSE_PARSE (
@@ -169,6 +170,9 @@
);
int count = offsets[0] >> 1;
+ if ( count > 0 )
+ {
+ in->ensureBytes(count*2);
for (int i = 1; i < count; i++)
{
offsets.push_back(in->read_u16());
@@ -177,6 +181,11 @@
log_parse("offset[%d] = %d", i, offsets[i]);
);
}
+ }
+ else
+ {
+ log_error("Negative embedded glyph table size: %d",
count);
+ }
_embedGlyphTable.resize(count);
@@ -206,6 +215,8 @@
log_parse(_("reading DefineFont2 or DefineFont3"));
);
+ // TODO: should this be aligned ?
+ in->ensureBytes(2); // 1 for the flags, 1 reserved
bool has_layout = in->read_bit();
m_shift_jis_chars = in->read_bit();
m_unicode_chars = in->read_bit();
@@ -237,6 +248,7 @@
delete [] name;
}
+ in->ensureBytes(2);
boost::uint16_t glyph_count = in->read_u16();
unsigned long table_base = in->get_position();
@@ -249,6 +261,7 @@
if (wide_offsets)
{
// 32-bit offsets.
+ in->ensureBytes(4*glyph_count + 4);
for (unsigned int i = 0; i < glyph_count; i++)
{
boost::uint32_t off = in->read_u32();
@@ -264,6 +277,7 @@
else
{
// 16-bit offsets.
+ in->ensureBytes(2*glyph_count + 2);
for (unsigned int i = 0; i < glyph_count; i++)
{
boost::uint16_t off = in->read_u16();
@@ -316,27 +330,38 @@
// Read layout info for the glyphs.
if (has_layout)
{
+ in->ensureBytes(6);
m_ascent = (float) in->read_s16();
m_descent = (float) in->read_s16();
m_leading = (float) in->read_s16();
// Advance table; i.e. how wide each character is.
- for (int i = 0, n = _embedGlyphTable.size(); i < n; i++)
+ size_t nGlyphs = _embedGlyphTable.size();
+ in->ensureBytes(nGlyphs*2);
+ for (int i = 0; i < nGlyphs; i++)
{
_embedGlyphTable[i].advance = (float)
in->read_s16();
}
// Bounds table.
- //m_bounds_table.resize(m_glyphs.size()); // kill
- rect dummy_rect;
- {for (size_t i = 0, n = _embedGlyphTable.size(); i < n;
i++)
{
- //m_bounds_table[i].read(in); // kill
- dummy_rect.read(in);
- }}
+ rect dummy_rect;
+ // TODO: shouldn't we log_unimpl here ??
+ for (size_t i = 0; i < nGlyphs; i++)
dummy_rect.read(in);
+ }
// Kerning pairs.
+ in->ensureBytes(2);
int kerning_count = in->read_u16();
+ if ( m_wide_codes )
+ {
+ in->ensureBytes(6*kerning_count); // includes
the adjustment
+ }
+ else
+ {
+ in->ensureBytes(4*kerning_count); // includes
the adjustment
+ }
+
for (int i = 0; i < kerning_count; i++)
{
boost::uint16_t char0, char1;
@@ -412,6 +437,7 @@
m_name.clear();
}
+ in->ensureBytes(1);
unsigned char flags = in->read_u8();
// The following 3 flags are reserved
@@ -437,10 +463,12 @@
assert(_embedded_code_table.empty());
+ size_t nGlyphs = _embedGlyphTable.size();
if (m_wide_codes)
{
+ in->ensureBytes(2*nGlyphs);
// Code table is made of boost::uint16_t's.
- for (size_t i=0, n=_embedGlyphTable.size(); i<n; ++i)
+ for (size_t i=0; i<nGlyphs; ++i)
{
boost::uint16_t code = in->read_u16();
_embedded_code_table.insert(std::make_pair(code, i));
@@ -449,7 +477,8 @@
else
{
// Code table is made of bytes.
- for (int i=0, n=_embedGlyphTable.size(); i<n; ++i)
+ in->ensureBytes(1*nGlyphs);
+ for (size_t i=0; i<nGlyphs; ++i)
{
boost::uint8_t code = in->read_u8();
_embedded_code_table.insert(std::make_pair(code, i));
Index: server/matrix.cpp
===================================================================
RCS file: /sources/gnash/gnash/server/matrix.cpp,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -b -r1.23 -r1.24
--- server/matrix.cpp 21 Jan 2008 20:55:51 -0000 1.23
+++ server/matrix.cpp 28 Jan 2008 15:16:51 -0000 1.24
@@ -19,7 +19,7 @@
//
// Original author: Thatcher Ulrich <[EMAIL PROTECTED]> 2003
//
-// $Id: matrix.cpp,v 1.23 2008/01/21 20:55:51 rsavoye Exp $
+// $Id: matrix.cpp,v 1.24 2008/01/28 15:16:51 strk Exp $
//
#ifdef HAVE_CONFIG_H
@@ -207,31 +207,39 @@
matrix::read(stream& in)
// Initialize from the stream.
{
- // TODO: compute number of bytes needed to read the matrix
- // and ensure their availability using stream::ensureBytes
-
in.align();
set_identity();
+ in.ensureBits(1);
bool has_scale = in.read_bit();
if (has_scale)
{
+ in.ensureBits(5);
int scale_nbits = in.read_uint(5);
+
+ in.ensureBits(scale_nbits*2);
m_[0][0] = in.read_sint(scale_nbits) / 65536.0f;
m_[1][1] = in.read_sint(scale_nbits) / 65536.0f;
}
+
+ in.ensureBits(1);
bool has_rotate = in.read_bit();
if (has_rotate)
{
+ in.ensureBits(5);
int rotate_nbits = in.read_uint(5);
+
+ in.ensureBits(rotate_nbits*2);
m_[1][0] = in.read_sint(rotate_nbits) / 65536.0f;
m_[0][1] = in.read_sint(rotate_nbits) / 65536.0f;
}
+ in.ensureBits(5);
int translate_nbits = in.read_uint(5);
if (translate_nbits > 0)
{
+ in.ensureBits(translate_nbits*2);
m_[0][2] = (float) in.read_sint(translate_nbits);
m_[1][2] = (float) in.read_sint(translate_nbits);
}
Index: server/rect.cpp
===================================================================
RCS file: /sources/gnash/gnash/server/rect.cpp,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -b -r1.16 -r1.17
--- server/rect.cpp 21 Jan 2008 20:55:51 -0000 1.16
+++ server/rect.cpp 28 Jan 2008 15:16:51 -0000 1.17
@@ -31,13 +31,12 @@
void rect::read(stream* in)
{
- // TODO: find how many bytes are required to
- // read the whole rect and ensure they
- // are available in the current tag
- // using in->ensureBytes(x)
- //
in->align();
- int nbits = in->read_uint(5);
+
+ in->ensureBits(5);
+ unsigned int nbits = in->read_uint(5);
+
+ in->ensureBits(nbits*4);
float xmin = (float) in->read_sint(nbits);
float xmax = (float) in->read_sint(nbits);
float ymin = (float) in->read_sint(nbits);
Index: server/stream.cpp
===================================================================
RCS file: /sources/gnash/gnash/server/stream.cpp,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -b -r1.42 -r1.43
--- server/stream.cpp 21 Jan 2008 20:55:52 -0000 1.42
+++ server/stream.cpp 28 Jan 2008 15:16:51 -0000 1.43
@@ -301,23 +301,13 @@
char* stream::read_string()
{
- align();
-
- std::vector<char> buffer;
- char c;
- while ((c = read_u8()) != 0)
- {
- buffer.push_back(c);
- }
- buffer.push_back(0);
+ std::string to;
+ read_string(to); // throws ParserException
- if (buffer.size() == 0)
- {
- return NULL;
- }
+ if (to.empty()) return NULL;
- char* retval = new char[buffer.size()];
- strcpy(retval, &buffer[0]);
+ char* retval = new char[to.length()+1];
+ strcpy(retval, to.c_str());
return retval;
}
@@ -329,45 +319,37 @@
to.clear();
- char c;
- while ((c = read_u8()) != 0)
+ do
{
+ ensureBytes(1);
+ char c = read_u8();
+ if ( c == 0 ) break; // don't store a NULL in the string..
to += c;
- }
+ } while(1);
}
char* stream::read_string_with_length()
{
- align();
+ std::string to;
+ read_string_with_length(to);
- int len = read_u8();
- //log_msg("String length: %d", len);
- if (len <= 0)
- {
- return NULL;
- }
- else
- {
- char* buffer = new char[len + 1];
- int i;
- for (i = 0; i < len; i++)
- {
- buffer[i] = read_u8();
- }
- buffer[i] = '\0'; // terminate.
+ if (to.empty()) return NULL;
+
+ char* buffer = new char[to.length() + 1];
+ strcpy(buffer, to.c_str());
return buffer;
- }
}
void stream::read_string_with_length(std::string& to)
{
align();
+ ensureBytes(1);
unsigned int len = read_u8();
- read_string_with_length(len, to);
+ read_string_with_length(len, to); // will check 'len'
}
void stream::read_string_with_length(unsigned len, std::string& to)
@@ -376,6 +358,7 @@
to.resize(len);
+ ensureBytes(len);
for (unsigned int i = 0; i < len; ++i)
{
to[i] = read_u8();
Index: server/stream.h
===================================================================
RCS file: /sources/gnash/gnash/server/stream.h,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -b -r1.39 -r1.40
--- server/stream.h 21 Jan 2008 20:55:52 -0000 1.39
+++ server/stream.h 28 Jan 2008 15:16:51 -0000 1.40
@@ -251,6 +251,8 @@
///
/// aligned read
///
+ /// Will throw ParserException if no terminating null is found within
tag boundaries
+ ///
char* read_string();
/// \brief
@@ -260,6 +262,8 @@
///
/// aligned read
///
+ /// Will throw ParserException if no terminating null is found within
tag boundaries
+ ///
void read_string(std::string& to);
/// \brief
@@ -270,6 +274,8 @@
///
/// aligned read
///
+ /// Will throw ParserException if advertised length crosses tag
boundaries
+ ///
char* read_string_with_length();
/// Reads a sized string into a provided std::string.
@@ -281,6 +287,8 @@
///
/// aligned read
///
+ /// Will throw ParserException if advertised length crosses tag
boundaries
+ ///
void read_string_with_length(std::string& to);
/// Reads a sized string into a provided std::string.
@@ -294,16 +302,18 @@
///
/// aligned read
///
+ /// Will throw ParserException if len crosses tag boundaries
+ ///
void read_string_with_length(unsigned len, std::string& to);
/// Return our current (byte) position in the input stream.
//
/// NOTE:
/// This is not necessarely the byte you'll read on next read.
- /// - For bit reads the byte will be used only if not
+ /// - For bitwise reads the currenty byte will be used only if not
/// completely consumed. See align().
- /// - For aligned reads the byte will be used only if not
- /// consumed at all.
+ /// - For aligned reads the current byte will not be used
+ /// (already used)
///
unsigned long get_position();
@@ -362,8 +372,8 @@
}
/// \brief
- /// Ensure the requested number of bytes are available in the
- /// currently opened tag.
+ /// Ensure the requested number of bytes are available for an aligned
read
+ /// in the currently opened tag.
//
/// Throws a ParserException on a short count.
/// This method should be called before any attempt to read
@@ -371,13 +381,10 @@
///
/// NOTE: if GNASH_TRUST_SWF_INPUT is defined this function is a no-op
///
- /// WARNING: this function is BOGUS as it will consider the current
- /// byte as available no matter if bits have been read from
- /// it or not. TODO: consider consumed bits and see what
happens.
- ///
void ensureBytes(unsigned long needed)
{
#ifndef GNASH_TRUST_SWF_INPUT
+ if ( _tagBoundsStack.empty() ) return; // not in a tag (should
we check file length ?)
unsigned long int left = get_tag_end_position() -
get_position();
if ( left < needed )
{
@@ -388,6 +395,31 @@
#endif
}
+ /// \brief
+ /// Ensure the requested number of bits are available for a bitwise read
+ /// in currently opened tag.
+ //
+ /// Throws a ParserException on a short count.
+ /// This method should be called before any attempt to read
+ /// bits from the SWF.
+ ///
+ /// NOTE: if GNASH_TRUST_SWF_INPUT is defined this function is a no-op
+ ///
+ void ensureBits(unsigned long needed)
+ {
+#ifndef GNASH_TRUST_SWF_INPUT
+ if ( _tagBoundsStack.empty() ) return; // not in a tag (should
we check file length ?)
+ unsigned long int bytesLeft = get_tag_end_position() -
get_position();
+ unsigned long int bitsLeft = (bytesLeft*8)+m_unused_bits;
+ if ( bitsLeft < needed )
+ {
+ std::stringstream ss;
+ ss << "premature end of tag: need to read " << needed
<< " bytes, but only " << bitsLeft << " left in this tag";
+ throw ParserException(ss.str());
+ }
+#endif
+ }
+
private:
tu_file* m_input;
Index: server/styles.cpp
===================================================================
RCS file: /sources/gnash/gnash/server/styles.cpp,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -b -r1.36 -r1.37
--- server/styles.cpp 12 Dec 2007 10:07:01 -0000 1.36
+++ server/styles.cpp 28 Jan 2008 15:16:51 -0000 1.37
@@ -35,6 +35,7 @@
{
if (tag_type == SWF::DEFINEMORPHSHAPE)
{
+ in->ensureBytes(2 + 2);
m_width = in->read_u16();
pOther->m_width = in->read_u16();
m_color.read(in, tag_type);
@@ -43,9 +44,11 @@
}
// MorphShape 2 from here down.
- in->ensureBytes(4);
+ in->ensureBytes(4 + 2);
+
m_width = in->read_u16();
pOther->m_width = in->read_u16();
+
// TODO: Same as in read(...), use these.
// 0 -- Round caps, 1 -- No caps, 2 -- square caps
boost::uint8_t caps = in->read_uint(2);
@@ -55,11 +58,14 @@
bool no_hscale = in->read_uint(1);
bool no_vscale = in->read_uint(1);
bool pixel_hinting = in->read_uint(1);
+
static_cast<void> (in->read_uint(5));
bool no_close = in->read_uint(1);
bool end_cap_style = in->read_uint(2); // As caps above.
+
if (joins == 2)
{
+ in->ensureBytes(2);
float f_miter = in->read_short_ufixed();
}
if (has_fill)
@@ -92,21 +98,24 @@
// TODO: Unfinished. Temporary to allow define shape 4 to work in many
// cases, but does not work correctly in all cases.
- in->ensureBytes(2);
+ in->ensureBytes(2+2);
m_width = in->read_u16();
+
// 0 -- Round caps, 1 -- No caps, 2 -- square caps
boost::uint8_t caps = in->read_uint(2);
// 0 -- Round join, 1 -- Bevel join, 2 -- Miter join
boost::uint8_t joins = in->read_uint(2);
- bool has_fill = in->read_uint(1);
- bool no_hscale = in->read_uint(1);
- bool no_vscale = in->read_uint(1);
- bool pixel_hinting = in->read_uint(1);
+ bool has_fill = in->read_bit();
+ bool no_hscale = in->read_bit();
+ bool no_vscale = in->read_bit();
+ bool pixel_hinting = in->read_bit();
static_cast<void> (in->read_uint(5));
- bool no_close = in->read_uint(1);
+ bool no_close = in->read_bit();
bool end_cap_style = in->read_uint(2); // As caps above.
+
if (joins == 2)
{
+ in->ensureBytes(2);
/*float f_miter =*/static_cast<void>(in->read_short_ufixed());
}
if (has_fill)
Index: server/parser/filter_factory.cpp
===================================================================
RCS file: /sources/gnash/gnash/server/parser/filter_factory.cpp,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -b -r1.8 -r1.9
--- server/parser/filter_factory.cpp 21 Jan 2008 20:56:00 -0000 1.8
+++ server/parser/filter_factory.cpp 28 Jan 2008 15:16:51 -0000 1.9
@@ -15,7 +15,7 @@
// along with this program; if not, write to the Free Software
// Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
-/* $Id: filter_factory.cpp,v 1.8 2008/01/21 20:56:00 rsavoye Exp $ */
+/* $Id: filter_factory.cpp,v 1.9 2008/01/28 15:16:51 strk Exp $ */
#include "filter_factory.h"
#include "BitmapFilter.h"
@@ -60,6 +60,7 @@
{
BitmapFilter *the_filter = NULL;
+ in.ensureBytes(1);
filter_types filter_type = static_cast<filter_types> (in.read_u8());
switch (filter_type)
@@ -112,6 +113,8 @@
bool DropShadowFilter::read(stream& in)
{
+ in.ensureBytes(4 + 8 + 8 + 2 + 1);
+
m_color = in.read_u8() << 16 + in.read_u8() << 8 + in.read_u8();
m_alpha = in.read_u8();
@@ -134,6 +137,8 @@
bool BlurFilter::read(stream& in)
{
+ in.ensureBytes(4 + 4 + 1);
+
m_blurX = in.read_ufixed();
m_blurY = in.read_ufixed();
@@ -146,6 +151,8 @@
bool GlowFilter::read(stream& in)
{
+ in.ensureBytes(4 + 8 + 2 + 1);
+
m_color = in.read_u8() << 16 + in.read_u8() << 8 + in.read_u8();
m_alpha = in.read_u8();
@@ -164,6 +171,8 @@
bool BevelFilter::read(stream& in)
{
+ in.ensureBytes(4 + 4 + 8 + 8 + 2 + 1);
+
// TODO: It is possible that the order of these two should be reversed.
// highlight might come first. Find out for sure and then fix and remove
// this comment.
@@ -196,11 +205,16 @@
bool GradientGlowFilter::read(stream& in)
{
+ in.ensureBytes(1);
+
boost::uint8_t count = in.read_u8(); // How many colorings.
m_colors.reserve(count);
m_alphas.reserve(count);
m_ratios.reserve(count);
+
+ in.ensureBytes(count*5 + 8 + 8 + 2 + 1);
+
for (int i = 0; i < count; ++i)
{
m_colors.push_back(in.read_u8() << 16 + in.read_u8() << 8 +
in.read_u8());
@@ -234,14 +248,20 @@
bool ConvolutionFilter::read(stream& in)
{
+ in.ensureBytes(2 + 8);
+
m_matrixX = in.read_u8();
m_matrixY = in.read_u8();
m_divisor = in.read_float();
m_bias = in.read_float();
- m_matrix.reserve(m_matrixX * m_matrixY);
- for (int i = 0; i < m_matrixX * m_matrixY; ++i)
+ size_t matrixCount = m_matrixX * m_matrixY;
+
+ in.ensureBytes(matrixCount*4 + 4 + 1);
+
+ m_matrix.reserve(matrixCount);
+ for (size_t i = 0; i < matrixCount; ++i)
{
m_matrix.push_back(in.read_float());
}
@@ -259,6 +279,8 @@
bool ColorMatrixFilter::read(stream& in)
{
+ in.ensureBytes(20 * 4);
+
m_matrix.reserve(20);
for (int i = 0; i < 20; ++i)
{
@@ -270,8 +292,11 @@
bool GradientBevelFilter::read(stream& in)
{
+ in.ensureBytes(1);
boost::uint8_t count = in.read_u8(); // How many colorings.
+ in.ensureBytes(count*5 + 8 + 8 + 2 + 1);
+
m_colors.reserve(count);
m_alphas.reserve(count);
m_ratios.reserve(count);
Index: server/swf/StartSoundTag.cpp
===================================================================
RCS file: /sources/gnash/gnash/server/swf/StartSoundTag.cpp,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -b -r1.7 -r1.8
--- server/swf/StartSoundTag.cpp 21 Jan 2008 20:56:02 -0000 1.7
+++ server/swf/StartSoundTag.cpp 28 Jan 2008 15:16:52 -0000 1.8
@@ -17,7 +17,7 @@
// Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
//
-/* $Id: StartSoundTag.cpp,v 1.7 2008/01/21 20:56:02 rsavoye Exp $ */
+/* $Id: StartSoundTag.cpp,v 1.8 2008/01/28 15:16:52 strk Exp $ */
#ifdef HAVE_CONFIG_H
#include "gnashconfig.h"
@@ -78,6 +78,7 @@
void
StartSoundTag::read(stream& in)
{
+ in.align();
in.ensureBytes(1); // header
in.read_uint(2); // skip reserved bits.
_______________________________________________
Gnash-commit mailing list
Gnash-commit@gnu.org
http://lists.gnu.org/mailman/listinfo/gnash-commit
