[Swfdec] 3 commits - libswfdec/swfdec_bits.c libswfdec/swfdec_shape.c libswfdec/swfdec_tag.c

Benjamin Otte company at kemper.freedesktop.org
Thu Feb 15 03:14:14 PST 2007 

 libswfdec/swfdec_bits.c  |    5 +--
 libswfdec/swfdec_shape.c |    8 +++--
 libswfdec/swfdec_tag.c   |   71 +++++++++++++++--------------------------------
 3 files changed, 32 insertions(+), 52 deletions(-)

New commits:
diff-tree a879894cd4905bea3dfe323eac13d24448146807 (from b9d7f15528e25b22099507ad00bba595e53025af)
Author: Benjamin Otte <otte at gnome.org>
Date:   Thu Feb 15 09:32:32 2007 +0100

    Update some parsing code to the 21st century
    
    DefineSprite and DefineFont tags were still doing old-style manipulation of
    the SwfdecBits which could cause crashes. This patch updates it to use the
    "new" functions.

diff --git a/libswfdec/swfdec_tag.c b/libswfdec/swfdec_tag.c
index e7c8aa8..f4497f2 100644
--- a/libswfdec/swfdec_tag.c
+++ b/libswfdec/swfdec_tag.c
@@ -190,35 +190,30 @@ tag_func_define_text_2 (SwfdecSwfDecoder
 int
 tag_func_define_sprite (SwfdecSwfDecoder * s)
 {
-  SwfdecBits *bits = &s->b;
   SwfdecBits parse;
   int id;
   SwfdecSprite *sprite;
   int ret;
-  SwfdecBits save_bits;
+  guint tag;
 
-  save_bits = s->b;
+  parse = s->b;
 
-  id = swfdec_bits_get_u16 (bits);
+  id = swfdec_bits_get_u16 (&parse);
   sprite = swfdec_swf_decoder_create_character (s, id, SWFDEC_TYPE_SPRITE);
   if (!sprite)
     return SWFDEC_STATUS_OK;
 
   SWFDEC_LOG ("  ID: %d", id);
 
-  swfdec_sprite_set_n_frames (sprite, swfdec_bits_get_u16 (bits), SWFDEC_DECODER (s)->rate);
-
-  parse = *bits;
+  swfdec_sprite_set_n_frames (sprite, swfdec_bits_get_u16 (&parse), SWFDEC_DECODER (s)->rate);
 
   s->parse_sprite = sprite;
-  while (1) {
+  do {
     int x;
-    int tag;
     guint tag_len;
     SwfdecBuffer *buffer;
     SwfdecTagFunc *func;
 
-    //SWFDEC_INFO ("sprite parsing at %d", parse.ptr - parse.buffer->data);
     x = swfdec_bits_get_u16 (&parse);
     tag = (x >> 6) & 0x3ff;
     tag_len = x & 0x3f;
@@ -228,25 +223,17 @@ tag_func_define_sprite (SwfdecSwfDecoder
     SWFDEC_INFO ("sprite parsing at %d, tag %d %s, length %d",
         parse.ptr - parse.buffer->data, tag,
         swfdec_swf_decoder_get_tag_name (tag), tag_len);
-    //SWFDEC_DEBUG ("tag %d %s", tag, swfdec_decoder_get_tag_name (tag));
 
-    if (tag_len * 8 > swfdec_bits_left (&parse)) {
-      SWFDEC_ERROR ("tag claims to be %u bytes long, but only %u bytes remaining",
-	  tag_len, swfdec_bits_left (&parse) / 8);
-      break;
-    } else if (tag_len > 0) {
-      buffer = swfdec_buffer_new_subbuffer (parse.buffer,
-          parse.ptr - parse.buffer->data, tag_len);
-      s->b.buffer = buffer;
-      s->b.ptr = buffer->data;
-      s->b.idx = 0;
-      s->b.end = buffer->data + buffer->length;
+    if (tag_len == 0) {
+      swfdec_bits_init_data (&s->b, NULL, 0);
     } else {
-      buffer = NULL;
-      s->b.buffer = NULL;
-      s->b.ptr = NULL;
-      s->b.idx = 0;
-      s->b.end = NULL;
+      buffer = swfdec_bits_get_buffer (&parse, tag_len);
+      if (buffer == NULL) {
+	SWFDEC_ERROR ("tag claims to be %u bytes long, but not enough bytes remaining",
+	    tag_len);
+	break;
+      }
+      swfdec_bits_init (&s->b, buffer);
     }
 
     func = swfdec_swf_decoder_get_tag_func (tag);
@@ -257,32 +244,20 @@ tag_func_define_sprite (SwfdecSwfDecoder
       SWFDEC_ERROR ("invalid tag %d %s during DefineSprite",
           tag, swfdec_swf_decoder_get_tag_name (tag));
     } else {
-      const unsigned char *endptr = parse.ptr + tag_len;
       ret = func (s);
 
-      swfdec_bits_syncbits (bits);
-      if (tag_len > 0) {
-        if (s->b.ptr < endptr) {
-          SWFDEC_WARNING ("early parse finish (%d bytes)", endptr - s->b.ptr);
-        }
-        if (s->b.ptr > endptr) {
-          SWFDEC_WARNING ("parse overrun (%d bytes)", s->b.ptr - endptr);
-        }
+      if (swfdec_bits_left (&s->b)) {
+        SWFDEC_WARNING ("early parse finish (%d bytes)", 
+	    swfdec_bits_left (&s->b) / 8);
       }
     }
-    if (swfdec_bits_skip_bytes (&parse, tag_len) != tag_len)
-      break;
-
     if (buffer)
       swfdec_buffer_unref (buffer);
 
-    if (tag == 0)
-      break;
-  }
+  } while (tag != 0);
 
-  s->b = save_bits;
-  s->b.ptr += s->b.buffer->length;
-  /* this assumes that no recursive DefineSprite happens and the spec says it doesn't */
+  s->b = parse;
+  /* this assumes that no recursive DefineSprite happens and we check it doesn't */
   s->parse_sprite = s->main_sprite;
   SWFDEC_LOG ("done parsing this sprite");
 
@@ -648,16 +623,16 @@ tag_func_define_font_2 (SwfdecSwfDecoder
     swfdec_shape_get_recs (s, shape);
   }
   if (wide_codes) {
-    bits->ptr += 2 * n_glyphs;
+    swfdec_bits_skip_bytes (bits, 2 * n_glyphs);
   } else {
-    bits->ptr += 1 * n_glyphs;
+    swfdec_bits_skip_bytes (bits, 1 * n_glyphs);
   }
   if (has_layout) {
     font_ascent = swfdec_bits_get_s16 (bits);
     font_descent = swfdec_bits_get_s16 (bits);
     font_leading = swfdec_bits_get_s16 (bits);
     //font_advance_table = swfdec_bits_get_s16(bits);
-    bits->ptr += 2 * n_glyphs;
+    swfdec_bits_skip_bytes (bits, 2 * n_glyphs);
     for (i = 0; i < n_glyphs; i++) {
       swfdec_bits_get_rect (bits, &rect);
     }
diff-tree b9d7f15528e25b22099507ad00bba595e53025af (from b2e0602283210779a56b4feb93d423b96c2bd3ef)
Author: Benjamin Otte <otte at gnome.org>
Date:   Thu Feb 15 09:30:35 2007 +0100

    Allow NULL data in swfdec_bits_init_data

diff --git a/libswfdec/swfdec_bits.c b/libswfdec/swfdec_bits.c
index 6a9ed33..ab46303 100644
--- a/libswfdec/swfdec_bits.c
+++ b/libswfdec/swfdec_bits.c
@@ -62,13 +62,14 @@ swfdec_bits_init (SwfdecBits *bits, Swfd
  * @len: length of the data
  *
  * Initializes @bits for use with the given @data. All operations on @bits will
- * return copies of the data, so after use, you can free the supplied data.
+ * return copies of the data, so after use, you can free the supplied data. Using 
+ * %NULL for @data is valid if @len is 0.
  **/
 void
 swfdec_bits_init_data (SwfdecBits *bits, const guint8 *data, guint len)
 {
   g_return_if_fail (bits != NULL);
-  g_return_if_fail (data != NULL);
+  g_return_if_fail (data != NULL || len == 0);
 
   bits->buffer = NULL;
   bits->ptr = data;
diff-tree b2e0602283210779a56b4feb93d423b96c2bd3ef (from 98049e91f2ff8cd1cc2ad5b9ae5952653d065ad7)
Author: Benjamin Otte <otte at gnome.org>
Date:   Wed Feb 14 22:54:36 2007 +0100

    Handle failed pattern creation during parsing

diff --git a/libswfdec/swfdec_shape.c b/libswfdec/swfdec_shape.c
index c731b37..08bd710 100644
--- a/libswfdec/swfdec_shape.c
+++ b/libswfdec/swfdec_shape.c
@@ -214,12 +214,14 @@ swfdec_shape_dispose (GObject *object)
   }
   g_array_free (shape->vecs, TRUE);
   for (i = 0; i < shape->fills->len; i++) {
-    g_object_unref (g_ptr_array_index (shape->fills, i));
+    if (g_ptr_array_index (shape->fills, i))
+      g_object_unref (g_ptr_array_index (shape->fills, i));
   }
   g_ptr_array_free (shape->fills, TRUE);
 
   for (i = 0; i < shape->lines->len; i++) {
-    g_object_unref (g_ptr_array_index (shape->lines, i));
+    if (g_ptr_array_index (shape->lines, i))
+      g_object_unref (g_ptr_array_index (shape->lines, i));
   }
   g_ptr_array_free (shape->lines, TRUE);
 
@@ -555,6 +557,8 @@ swfdec_shape_accumulate_one_fill (Swfdec
     goto fail;
   } else {
     target->pattern = g_ptr_array_index (shape->fills, style - 1);
+    if (target->pattern == NULL)
+      goto fail;
     g_object_ref (target->pattern);
   }
   g_slist_free (found);

More information about the Swfdec mailing list