[Swfdec-commits] Branch '0.6' - 4 commits - swfdec/swfdec_as_context.c swfdec/swfdec_as_object.c test/trace
Pekka Lampila
medar at kemper.freedesktop.org
Mon Jul 28 06:58:56 PDT 2008
swfdec/swfdec_as_context.c | 9 ++++++++-
swfdec/swfdec_as_object.c | 6 ++++--
test/trace/Makefile.am | 18 ++++++++++++++++++
test/trace/crash-0.6.6-create-object-5.swf |binary
test/trace/crash-0.6.6-create-object-5.swf.trace | 1 +
test/trace/crash-0.6.6-create-object-6.swf |binary
test/trace/crash-0.6.6-create-object-6.swf.trace | 1 +
test/trace/crash-0.6.6-create-object-7.swf |binary
test/trace/crash-0.6.6-create-object-7.swf.trace | 1 +
test/trace/crash-0.6.6-create-object-8.swf |binary
test/trace/crash-0.6.6-create-object-8.swf.trace | 1 +
test/trace/crash-0.6.6-create-object.as | 10 ++++++++++
test/trace/crash-0.6.6-native-constructor-5.swf |binary
test/trace/crash-0.6.6-native-constructor-5.swf.trace | 1 +
test/trace/crash-0.6.6-native-constructor-6.swf |binary
test/trace/crash-0.6.6-native-constructor-6.swf.trace | 1 +
test/trace/crash-0.6.6-native-constructor-7.swf |binary
test/trace/crash-0.6.6-native-constructor-7.swf.trace | 1 +
test/trace/crash-0.6.6-native-constructor-8.swf |binary
test/trace/crash-0.6.6-native-constructor-8.swf.trace | 1 +
test/trace/crash-0.6.6-native-constructor.as | 11 +++++++++++
21 files changed, 59 insertions(+), 3 deletions(-)
New commits:
commit dbab97a18f6732e8238eb9c838b6b5b9b66b88c2
Author: Pekka Lampila <pekka.lampila at iki.fi>
Date: Mon Jul 28 16:46:25 2008 +0300
Add a test for crash when native constructor is called with an invalid type
diff --git a/test/trace/Makefile.am b/test/trace/Makefile.am
index 3e997d4..28f6e8d 100644
--- a/test/trace/Makefile.am
+++ b/test/trace/Makefile.am
@@ -754,6 +754,15 @@ EXTRA_DIST = \
crash-0.6.6-date-8.swf \
crash-0.6.6-date-8.swf.trace \
crash-0.6.6-date.as \
+ crash-0.6.6-native-constructor-5.swf \
+ crash-0.6.6-native-constructor-5.swf.trace \
+ crash-0.6.6-native-constructor-6.swf \
+ crash-0.6.6-native-constructor-6.swf.trace \
+ crash-0.6.6-native-constructor-7.swf \
+ crash-0.6.6-native-constructor-7.swf.trace \
+ crash-0.6.6-native-constructor-8.swf \
+ crash-0.6.6-native-constructor-8.swf.trace \
+ crash-0.6.6-native-constructor.as \
crash-0.6.6-prototype-recursion-5.swf \
crash-0.6.6-prototype-recursion-5.swf.trace \
crash-0.6.6-prototype-recursion-6.swf \
diff --git a/test/trace/crash-0.6.6-native-constructor-5.swf b/test/trace/crash-0.6.6-native-constructor-5.swf
new file mode 100644
index 0000000..3996f2a
Binary files /dev/null and b/test/trace/crash-0.6.6-native-constructor-5.swf differ
diff --git a/test/trace/crash-0.6.6-native-constructor-5.swf.trace b/test/trace/crash-0.6.6-native-constructor-5.swf.trace
new file mode 100644
index 0000000..46c38f6
--- /dev/null
+++ b/test/trace/crash-0.6.6-native-constructor-5.swf.trace
@@ -0,0 +1 @@
+Qapla!
diff --git a/test/trace/crash-0.6.6-native-constructor-6.swf b/test/trace/crash-0.6.6-native-constructor-6.swf
new file mode 100644
index 0000000..8b8d496
Binary files /dev/null and b/test/trace/crash-0.6.6-native-constructor-6.swf differ
diff --git a/test/trace/crash-0.6.6-native-constructor-6.swf.trace b/test/trace/crash-0.6.6-native-constructor-6.swf.trace
new file mode 100644
index 0000000..46c38f6
--- /dev/null
+++ b/test/trace/crash-0.6.6-native-constructor-6.swf.trace
@@ -0,0 +1 @@
+Qapla!
diff --git a/test/trace/crash-0.6.6-native-constructor-7.swf b/test/trace/crash-0.6.6-native-constructor-7.swf
new file mode 100644
index 0000000..93819e5
Binary files /dev/null and b/test/trace/crash-0.6.6-native-constructor-7.swf differ
diff --git a/test/trace/crash-0.6.6-native-constructor-7.swf.trace b/test/trace/crash-0.6.6-native-constructor-7.swf.trace
new file mode 100644
index 0000000..46c38f6
--- /dev/null
+++ b/test/trace/crash-0.6.6-native-constructor-7.swf.trace
@@ -0,0 +1 @@
+Qapla!
diff --git a/test/trace/crash-0.6.6-native-constructor-8.swf b/test/trace/crash-0.6.6-native-constructor-8.swf
new file mode 100644
index 0000000..bc1676e
Binary files /dev/null and b/test/trace/crash-0.6.6-native-constructor-8.swf differ
diff --git a/test/trace/crash-0.6.6-native-constructor-8.swf.trace b/test/trace/crash-0.6.6-native-constructor-8.swf.trace
new file mode 100644
index 0000000..46c38f6
--- /dev/null
+++ b/test/trace/crash-0.6.6-native-constructor-8.swf.trace
@@ -0,0 +1 @@
+Qapla!
diff --git a/test/trace/crash-0.6.6-native-constructor.as b/test/trace/crash-0.6.6-native-constructor.as
new file mode 100644
index 0000000..3ce4884
--- /dev/null
+++ b/test/trace/crash-0.6.6-native-constructor.as
@@ -0,0 +1,11 @@
+// makeswf -v 7 -s 200x150 -r 15 -o crash-0.6.6-create-object.swf crash-0.6.6-create-object.as
+
+function Test () {
+ this.__proto__.__constructor__ = Date;
+ super ();
+}
+var t = new Test ();
+
+trace ("Qapla!");
+
+getURL ("fscommand:quit", "");
commit 1fe97ae089cd6161b96dd53dca975888a1f8dcc4
Author: Pekka Lampila <pekka.lampila at iki.fi>
Date: Mon Jul 28 16:44:20 2008 +0300
Don't crash when native constructor is called with an invalid type
Added SWFDEC_FIXME for those cases, because now we will ignore the call, but
that is not the correct thing to do
diff --git a/swfdec/swfdec_as_context.c b/swfdec/swfdec_as_context.c
index 24b25c6..7d0f7f2 100644
--- a/swfdec/swfdec_as_context.c
+++ b/swfdec/swfdec_as_context.c
@@ -840,7 +840,9 @@ start:
SwfdecAsValue rval = { 0, };
if (frame->argc >= native->min_args &&
(native->type == 0 ||
- g_type_is_a (G_OBJECT_TYPE (frame->thisp), native->type))) {
+ g_type_is_a (G_OBJECT_TYPE (frame->thisp), native->type)) &&
+ (!frame->construct || native->construct_type == 0 ||
+ g_type_is_a (G_OBJECT_TYPE (frame->thisp), native->construct_type))) {
SwfdecAsValue *argv;
/* accumulate argv */
if (frame->argc == 0 || frame->argv != NULL) {
@@ -871,6 +873,11 @@ start:
argv, &rval);
if (argv != frame->argv)
g_free (argv);
+ } else {
+ if (frame->construct && native->construct_type != 0 &&
+ !g_type_is_a (G_OBJECT_TYPE (frame->thisp), native->construct_type)) {
+ SWFDEC_FIXME ("Ignoring call to native constructor with invalid type");
+ }
}
swfdec_as_frame_return (frame, &rval);
goto start;
commit eb03c1e9ee0600c8e787845283ac1ca297d3e9a4
Author: Pekka Lampila <pekka.lampila at iki.fi>
Date: Mon Jul 28 14:58:41 2008 +0300
Add a test for the crash with constructors that have a loop in prototype chain
diff --git a/test/trace/Makefile.am b/test/trace/Makefile.am
index f8c6703..3e997d4 100644
--- a/test/trace/Makefile.am
+++ b/test/trace/Makefile.am
@@ -736,6 +736,15 @@ EXTRA_DIST = \
crash-0.6.2-try-and-exception-on-dispose-8.swf \
crash-0.6.2-try-and-exception-on-dispose-8.swf.trace \
crash-0.6.2-try-and-exception-on-dispose.as \
+ crash-0.6.6-create-object-5.swf \
+ crash-0.6.6-create-object-5.swf.trace \
+ crash-0.6.6-create-object-6.swf \
+ crash-0.6.6-create-object-6.swf.trace \
+ crash-0.6.6-create-object-7.swf \
+ crash-0.6.6-create-object-7.swf.trace \
+ crash-0.6.6-create-object-8.swf \
+ crash-0.6.6-create-object-8.swf.trace \
+ crash-0.6.6-create-object.as \
crash-0.6.6-date-5.swf \
crash-0.6.6-date-5.swf.trace \
crash-0.6.6-date-6.swf \
diff --git a/test/trace/crash-0.6.6-create-object-5.swf b/test/trace/crash-0.6.6-create-object-5.swf
new file mode 100644
index 0000000..92f5c39
Binary files /dev/null and b/test/trace/crash-0.6.6-create-object-5.swf differ
diff --git a/test/trace/crash-0.6.6-create-object-5.swf.trace b/test/trace/crash-0.6.6-create-object-5.swf.trace
new file mode 100644
index 0000000..cd770b3
--- /dev/null
+++ b/test/trace/crash-0.6.6-create-object-5.swf.trace
@@ -0,0 +1 @@
+Created:
diff --git a/test/trace/crash-0.6.6-create-object-6.swf b/test/trace/crash-0.6.6-create-object-6.swf
new file mode 100644
index 0000000..0d35c08
Binary files /dev/null and b/test/trace/crash-0.6.6-create-object-6.swf differ
diff --git a/test/trace/crash-0.6.6-create-object-6.swf.trace b/test/trace/crash-0.6.6-create-object-6.swf.trace
new file mode 100644
index 0000000..8074f67
--- /dev/null
+++ b/test/trace/crash-0.6.6-create-object-6.swf.trace
@@ -0,0 +1 @@
+Created: [object Object]
diff --git a/test/trace/crash-0.6.6-create-object-7.swf b/test/trace/crash-0.6.6-create-object-7.swf
new file mode 100644
index 0000000..90f4759
Binary files /dev/null and b/test/trace/crash-0.6.6-create-object-7.swf differ
diff --git a/test/trace/crash-0.6.6-create-object-7.swf.trace b/test/trace/crash-0.6.6-create-object-7.swf.trace
new file mode 100644
index 0000000..8074f67
--- /dev/null
+++ b/test/trace/crash-0.6.6-create-object-7.swf.trace
@@ -0,0 +1 @@
+Created: [object Object]
diff --git a/test/trace/crash-0.6.6-create-object-8.swf b/test/trace/crash-0.6.6-create-object-8.swf
new file mode 100644
index 0000000..beaf873
Binary files /dev/null and b/test/trace/crash-0.6.6-create-object-8.swf differ
diff --git a/test/trace/crash-0.6.6-create-object-8.swf.trace b/test/trace/crash-0.6.6-create-object-8.swf.trace
new file mode 100644
index 0000000..8074f67
--- /dev/null
+++ b/test/trace/crash-0.6.6-create-object-8.swf.trace
@@ -0,0 +1 @@
+Created: [object Object]
diff --git a/test/trace/crash-0.6.6-create-object.as b/test/trace/crash-0.6.6-create-object.as
new file mode 100644
index 0000000..9bbcec9
--- /dev/null
+++ b/test/trace/crash-0.6.6-create-object.as
@@ -0,0 +1,10 @@
+// makeswf -v 7 -s 200x150 -r 15 -o crash-0.6.6-create-object.swf crash-0.6.6-create-object.as
+
+function Evil () {}
+Evil.__constructor__ = Evil;
+Evil.prototype = Evil;
+var e = new Evil ();
+
+trace ("Created: " + e);
+
+getURL ("fscommand:quit", "");
commit d913e9d3993d21cb2f78936c55b65eda32091d70
Author: Pekka Lampila <pekka.lampila at iki.fi>
Date: Mon Jul 28 14:54:03 2008 +0300
Fix an infinite loop when constructor has a loop in it's property chain
swfdec_as_object_create didn't have a limit in prototype recursion when
searching for native constructors. Incidentally it shouldn't search for native
constructors from prototypes at all, but that won't be fixed in the stable
branch
diff --git a/swfdec/swfdec_as_object.c b/swfdec/swfdec_as_object.c
index a16c13b..31cb875 100644
--- a/swfdec/swfdec_as_object.c
+++ b/swfdec/swfdec_as_object.c
@@ -1276,13 +1276,14 @@ swfdec_as_object_create (SwfdecAsFunction *fun, guint n_args,
SwfdecAsContext *context;
SwfdecAsFunction *cur;
SwfdecAsFrame *frame;
- guint size = 0;
+ guint i, size = 0;
GType type = 0;
g_return_if_fail (SWFDEC_IS_AS_FUNCTION (fun));
context = SWFDEC_AS_OBJECT (fun)->context;
cur = fun;
+ i = 0;
do {
if (SWFDEC_IS_AS_NATIVE_FUNCTION (cur)) {
SwfdecAsNativeFunction *native = SWFDEC_AS_NATIVE_FUNCTION (cur);
@@ -1292,6 +1293,7 @@ swfdec_as_object_create (SwfdecAsFunction *fun, guint n_args,
break;
}
}
+ i++;
swfdec_as_object_get_variable (SWFDEC_AS_OBJECT (cur), SWFDEC_AS_STR_prototype, &val);
if (SWFDEC_AS_VALUE_IS_OBJECT (&val)) {
SwfdecAsObject *proto = SWFDEC_AS_VALUE_GET_OBJECT (&val);
@@ -1304,7 +1306,7 @@ swfdec_as_object_create (SwfdecAsFunction *fun, guint n_args,
}
}
cur = NULL;
- } while (type == 0 && cur != NULL);
+ } while (type == 0 && cur != NULL && i < SWFDEC_AS_OBJECT_PROTOTYPE_RECURSION_LIMIT);
if (type == 0) {
type = SWFDEC_TYPE_AS_OBJECT;
size = sizeof (SwfdecAsObject);
More information about the Swfdec-commits
mailing list