[Swfdec-commits] 10 commits - NEWS swfdec/swfdec_load_object.c test/trace

Benjamin Otte company at kemper.freedesktop.org
Wed Apr 9 02:00:55 PDT 2008


 NEWS                                          |    7 +++++++
 swfdec/swfdec_load_object.c                   |   11 ++++++++---
 test/trace/Makefile.am                        |    9 +++++++++
 test/trace/sec-0.6.2-local-access-5.swf       |binary
 test/trace/sec-0.6.2-local-access-5.swf.trace |    2 ++
 test/trace/sec-0.6.2-local-access-6.swf       |binary
 test/trace/sec-0.6.2-local-access-6.swf.trace |    2 ++
 test/trace/sec-0.6.2-local-access-7.swf       |binary
 test/trace/sec-0.6.2-local-access-7.swf.trace |    2 ++
 test/trace/sec-0.6.2-local-access-8.swf       |binary
 test/trace/sec-0.6.2-local-access-8.swf.trace |    2 ++
 test/trace/sec-0.6.2-local-access.as          |   15 +++++++++++++++
 12 files changed, 47 insertions(+), 3 deletions(-)

New commits:
commit a2fd5c4e167742a0760627e74dcd327214217e02
Merge: 68d862a... 782d17b...
Author: Benjamin Otte <otte at gnome.org>
Date:   Wed Apr 9 11:00:48 2008 +0200

    Merge branch 'master' of ssh://company@git.freedesktop.org/git/swfdec/swfdec

commit 68d862a36c0029481e441a646782585d5b93cf49
Merge: 1c791ef... 0fabf57...
Author: Benjamin Otte <otte at gnome.org>
Date:   Wed Apr 9 11:00:28 2008 +0200

    Merge branch '0.6'
    
    Conflicts:
    
    	configure.ac
    	swfdec/swfdec_text_field_movie.c
    	test/trace/Makefile.am

diff --cc test/trace/Makefile.am
index 7091f46,c58f524..29997c0
--- a/test/trace/Makefile.am
+++ b/test/trace/Makefile.am
@@@ -2643,24 -2585,15 +2643,33 @@@ EXTRA_DIST = 
  	scope-chain-with-and-scope-chain-7.swf.trace \
  	scope-chain-with-and-scope-chain-8.swf \
  	scope-chain-with-and-scope-chain-8.swf.trace \
+ 	sec-0.6.2-local-access-5.swf \
+ 	sec-0.6.2-local-access-5.swf.trace \
+ 	sec-0.6.2-local-access-6.swf \
+ 	sec-0.6.2-local-access-6.swf.trace \
+ 	sec-0.6.2-local-access-7.swf \
+ 	sec-0.6.2-local-access-7.swf.trace \
+ 	sec-0.6.2-local-access-8.swf \
+ 	sec-0.6.2-local-access-8.swf.trace \
+ 	sec-0.6.2-local-access.as \
 +	selection-focus-5.swf \
 +	selection-focus-5.swf.trace \
 +	selection-focus-6.swf \
 +	selection-focus-6.swf.trace \
 +	selection-focus-7.swf \
 +	selection-focus-7.swf.trace \
 +	selection-focus-8.swf \
 +	selection-focus-8.swf.trace \
 +	selection-focus.as \
 +	selection-focus-events-5.swf \
 +	selection-focus-events-5.swf.trace \
 +	selection-focus-events-6.swf \
 +	selection-focus-events-6.swf.trace \
 +	selection-focus-events-7.swf \
 +	selection-focus-events-7.swf.trace \
 +	selection-focus-events-8.swf \
 +	selection-focus-events-8.swf.trace \
 +	selection-focus-events.as \
  	selection-properties.as \
  	selection-properties-5.swf \
  	selection-properties-5.swf.trace \
commit 0fabf5764eddd065c4909d5b4900ef7abf13d8b4
Author: Benjamin Otte <otte at gnome.org>
Date:   Wed Apr 9 10:29:51 2008 +0200

    back to development

diff --git a/configure.ac b/configure.ac
index 671aa96..9c3f9a5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.58])
-AC_INIT(swfdec,0.6.4)
+AC_INIT(swfdec,0.6.5)
 
 [is_dev=$(echo $PACKAGE_VERSION | sed 's/[0-9]\.[0-9][0-9]*\.[0-9]*[13579]/1/')]
 if test x"$is_dev" = x1 ; then
commit f20324c575415b5c32474d3af206ef571fe04bd0
Author: Benjamin Otte <otte at gnome.org>
Date:   Wed Apr 9 10:26:03 2008 +0200

    release 0.6.4

diff --git a/configure.ac b/configure.ac
index 8b5bbc6..671aa96 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,5 +1,5 @@
 AC_PREREQ([2.58])
-AC_INIT(swfdec,0.6.3)
+AC_INIT(swfdec,0.6.4)
 
 [is_dev=$(echo $PACKAGE_VERSION | sed 's/[0-9]\.[0-9][0-9]*\.[0-9]*[13579]/1/')]
 if test x"$is_dev" = x1 ; then
commit af392a99916dfe57c2b8802659f53c74695565b3
Author: Benjamin Otte <otte at gnome.org>
Date:   Wed Apr 9 10:18:12 2008 +0200

    update to 0.6.4

diff --git a/NEWS b/NEWS
index af1a959..1594444 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,11 @@
 
+ 0.6.4 ("College Humor")
+
+This is a security release. Please update as soon as possible.
+- fix a security problem that allowed remote Flash files to read local files.
+- fix a rare crash in TextField.replaceText
+- fix a rare crash during cleanup
+
  0.6.2 ("Badger Badger Badger")
 
 This is the first bugfix release in the stable release series. It contains 
commit 1587e308d4d470e837347b0cff3312b79964908b
Author: Benjamin Otte <otte at gnome.org>
Date:   Wed Apr 9 10:01:48 2008 +0200

    add test for the latest fix

diff --git a/test/trace/Makefile.am b/test/trace/Makefile.am
index 3bffb1c..c58f524 100644
--- a/test/trace/Makefile.am
+++ b/test/trace/Makefile.am
@@ -2585,6 +2585,15 @@ EXTRA_DIST = \
 	scope-chain-with-and-scope-chain-7.swf.trace \
 	scope-chain-with-and-scope-chain-8.swf \
 	scope-chain-with-and-scope-chain-8.swf.trace \
+	sec-0.6.2-local-access-5.swf \
+	sec-0.6.2-local-access-5.swf.trace \
+	sec-0.6.2-local-access-6.swf \
+	sec-0.6.2-local-access-6.swf.trace \
+	sec-0.6.2-local-access-7.swf \
+	sec-0.6.2-local-access-7.swf.trace \
+	sec-0.6.2-local-access-8.swf \
+	sec-0.6.2-local-access-8.swf.trace \
+	sec-0.6.2-local-access.as \
 	selection-properties.as \
 	selection-properties-5.swf \
 	selection-properties-5.swf.trace \
diff --git a/test/trace/sec-0.6.2-local-access-5.swf b/test/trace/sec-0.6.2-local-access-5.swf
new file mode 100644
index 0000000..a7b2280
Binary files /dev/null and b/test/trace/sec-0.6.2-local-access-5.swf differ
diff --git a/test/trace/sec-0.6.2-local-access-5.swf.trace b/test/trace/sec-0.6.2-local-access-5.swf.trace
new file mode 100644
index 0000000..d4f80bf
--- /dev/null
+++ b/test/trace/sec-0.6.2-local-access-5.swf.trace
@@ -0,0 +1,2 @@
+undefined
+undefined
diff --git a/test/trace/sec-0.6.2-local-access-6.swf b/test/trace/sec-0.6.2-local-access-6.swf
new file mode 100644
index 0000000..1460177
Binary files /dev/null and b/test/trace/sec-0.6.2-local-access-6.swf differ
diff --git a/test/trace/sec-0.6.2-local-access-6.swf.trace b/test/trace/sec-0.6.2-local-access-6.swf.trace
new file mode 100644
index 0000000..d4f80bf
--- /dev/null
+++ b/test/trace/sec-0.6.2-local-access-6.swf.trace
@@ -0,0 +1,2 @@
+undefined
+undefined
diff --git a/test/trace/sec-0.6.2-local-access-7.swf b/test/trace/sec-0.6.2-local-access-7.swf
new file mode 100644
index 0000000..01cb6e9
Binary files /dev/null and b/test/trace/sec-0.6.2-local-access-7.swf differ
diff --git a/test/trace/sec-0.6.2-local-access-7.swf.trace b/test/trace/sec-0.6.2-local-access-7.swf.trace
new file mode 100644
index 0000000..d4f80bf
--- /dev/null
+++ b/test/trace/sec-0.6.2-local-access-7.swf.trace
@@ -0,0 +1,2 @@
+undefined
+undefined
diff --git a/test/trace/sec-0.6.2-local-access-8.swf b/test/trace/sec-0.6.2-local-access-8.swf
new file mode 100644
index 0000000..840e840
Binary files /dev/null and b/test/trace/sec-0.6.2-local-access-8.swf differ
diff --git a/test/trace/sec-0.6.2-local-access-8.swf.trace b/test/trace/sec-0.6.2-local-access-8.swf.trace
new file mode 100644
index 0000000..d4f80bf
--- /dev/null
+++ b/test/trace/sec-0.6.2-local-access-8.swf.trace
@@ -0,0 +1,2 @@
+undefined
+undefined
diff --git a/test/trace/sec-0.6.2-local-access.as b/test/trace/sec-0.6.2-local-access.as
new file mode 100644
index 0000000..3614371
--- /dev/null
+++ b/test/trace/sec-0.6.2-local-access.as
@@ -0,0 +1,15 @@
+// makeswf -v 7 -s 200x150 -r 1 -o sec-0.6.2-local-access.swf sec-0.6.2-local-access.as
+
+x = new XML ();
+x.onData  = function (data) {
+  trace (data);
+  getURL ("fscommand:quit", "");
+};
+x.load ("sec-0.6.2-local-access-7.swf.trace");
+
+y = new XML ();
+y.onData  = function (data) {
+  trace (data);
+  getURL ("fscommand:quit", "");
+};
+y.load (_url + ".trace");
commit 326ee4ff631ecc11605f1251e1923a94561a3823
Author: Benjamin Otte <otte at gnome.org>
Date:   Wed Apr 9 09:52:26 2008 +0200

    disallow access to local files from disallowed sandboxes
    
    The previous code allowed files loaded from remote locations access to local
    files.

diff --git a/swfdec/swfdec_load_object.c b/swfdec/swfdec_load_object.c
index d7bc0ce..8be8acc 100644
--- a/swfdec/swfdec_load_object.c
+++ b/swfdec/swfdec_load_object.c
@@ -162,6 +162,11 @@ swfdec_load_object_load (SwfdecPlayer *player, gboolean allow, gpointer obj)
     SWFDEC_WARNING ("SECURITY: no access to %s from %s",
 	load->url, swfdec_url_get_url (load->sandbox->url));
 
+    /* call finish */
+    swfdec_sandbox_use (load->sandbox);
+    load->finish (load->target, NULL);
+    swfdec_sandbox_unuse (load->sandbox);
+
     /* unroot */
     swfdec_player_unroot (player, load);
     return;
@@ -182,10 +187,10 @@ swfdec_load_object_request (gpointer objectp, gpointer playerp)
   SwfdecURL *url;
 
   if (swfdec_url_path_is_relative (load->url)) {
-    swfdec_load_object_load (player, TRUE, load);
+    swfdec_load_object_load (player, 
+	load->sandbox->type != SWFDEC_SANDBOX_LOCAL_NETWORK, load);
     return;
   }
-  /* FIXME: or is this relative to the player? */
   url = swfdec_player_create_url (player, load->url);
   if (url == NULL) {
     swfdec_load_object_load (player, FALSE, load);
@@ -196,7 +201,7 @@ swfdec_load_object_request (gpointer objectp, gpointer playerp)
     case SWFDEC_SANDBOX_LOCAL_NETWORK:
     case SWFDEC_SANDBOX_LOCAL_TRUSTED:
       if (swfdec_url_is_local (url)) {
-	swfdec_load_object_load (player, swfdec_url_is_local (url), load);
+	swfdec_load_object_load (player, load->sandbox->type == SWFDEC_SANDBOX_LOCAL_TRUSTED, load);
       } else {
 	SwfdecURL *load_url = swfdec_url_new_components (
 	    swfdec_url_get_protocol (url), swfdec_url_get_host (url), 
commit 88a0271611513c39e6a789630e0d264267b6e027
Author: Benjamin Otte <otte at gnome.org>
Date:   Fri Apr 4 18:04:59 2008 +0200

    compute right offset for inserting text in replaceText

diff --git a/swfdec/swfdec_text_field_movie.c b/swfdec/swfdec_text_field_movie.c
index 87f01a7..36e5e4b 100644
--- a/swfdec/swfdec_text_field_movie.c
+++ b/swfdec/swfdec_text_field_movie.c
@@ -1538,8 +1538,10 @@ swfdec_text_field_movie_replace_text (SwfdecTextFieldMovie *text,
       continue;
     }
     /* adapt indexes: remove deleted part, add to-be inserted text */
-    if (findex->index_ > start_index) {
+    if (findex->index_ > end_index) {
       findex->index_ = findex->index_ + start_index - end_index + len;
+    } else if (findex->index_ >= start_index) {
+      findex->index_ = findex->index_ + start_index - end_index;
     }
   }
 
commit 0ffaee2c88d9d6c52c8f087b2abca0c35e48da26
Author: Benjamin Otte <otte at gnome.org>
Date:   Fri Apr 4 10:58:47 2008 +0200

    add test for just-fixed crasher

diff --git a/test/trace/Makefile.am b/test/trace/Makefile.am
index 86add78..3bffb1c 100644
--- a/test/trace/Makefile.am
+++ b/test/trace/Makefile.am
@@ -727,6 +727,15 @@ EXTRA_DIST = \
 	crash-0.6.2-replaceText-8.swf \
 	crash-0.6.2-replaceText-8.swf.trace \
 	crash-0.6.2-replaceText.as \
+	crash-0.6.2-try-and-exception-on-dispose-5.swf \
+	crash-0.6.2-try-and-exception-on-dispose-5.swf.trace \
+	crash-0.6.2-try-and-exception-on-dispose-6.swf \
+	crash-0.6.2-try-and-exception-on-dispose-6.swf.trace \
+	crash-0.6.2-try-and-exception-on-dispose-7.swf \
+	crash-0.6.2-try-and-exception-on-dispose-7.swf.trace \
+	crash-0.6.2-try-and-exception-on-dispose-8.swf \
+	crash-0.6.2-try-and-exception-on-dispose-8.swf.trace \
+	crash-0.6.2-try-and-exception-on-dispose.as \
 	currentframe.swf \
 	currentframe.swf.trace \
 	dangling-compare.as \
diff --git a/test/trace/crash-0.6.2-try-and-exception-on-dispose-5.swf b/test/trace/crash-0.6.2-try-and-exception-on-dispose-5.swf
new file mode 100644
index 0000000..e98c9fe
Binary files /dev/null and b/test/trace/crash-0.6.2-try-and-exception-on-dispose-5.swf differ
diff --git a/test/trace/crash-0.6.2-try-and-exception-on-dispose-5.swf.trace b/test/trace/crash-0.6.2-try-and-exception-on-dispose-5.swf.trace
new file mode 100644
index 0000000..e69de29
diff --git a/test/trace/crash-0.6.2-try-and-exception-on-dispose-6.swf b/test/trace/crash-0.6.2-try-and-exception-on-dispose-6.swf
new file mode 100644
index 0000000..ba6bd21
Binary files /dev/null and b/test/trace/crash-0.6.2-try-and-exception-on-dispose-6.swf differ
diff --git a/test/trace/crash-0.6.2-try-and-exception-on-dispose-6.swf.trace b/test/trace/crash-0.6.2-try-and-exception-on-dispose-6.swf.trace
new file mode 100644
index 0000000..e69de29
diff --git a/test/trace/crash-0.6.2-try-and-exception-on-dispose-7.swf b/test/trace/crash-0.6.2-try-and-exception-on-dispose-7.swf
new file mode 100644
index 0000000..788a1f5
Binary files /dev/null and b/test/trace/crash-0.6.2-try-and-exception-on-dispose-7.swf differ
diff --git a/test/trace/crash-0.6.2-try-and-exception-on-dispose-7.swf.trace b/test/trace/crash-0.6.2-try-and-exception-on-dispose-7.swf.trace
new file mode 100644
index 0000000..e69de29
diff --git a/test/trace/crash-0.6.2-try-and-exception-on-dispose-8.swf b/test/trace/crash-0.6.2-try-and-exception-on-dispose-8.swf
new file mode 100644
index 0000000..8695f70
Binary files /dev/null and b/test/trace/crash-0.6.2-try-and-exception-on-dispose-8.swf differ
diff --git a/test/trace/crash-0.6.2-try-and-exception-on-dispose-8.swf.trace b/test/trace/crash-0.6.2-try-and-exception-on-dispose-8.swf.trace
new file mode 100644
index 0000000..e69de29
diff --git a/test/trace/crash-0.6.2-try-and-exception-on-dispose.as b/test/trace/crash-0.6.2-try-and-exception-on-dispose.as
new file mode 100644
index 0000000..42f4083
--- /dev/null
+++ b/test/trace/crash-0.6.2-try-and-exception-on-dispose.as
@@ -0,0 +1,14 @@
+// makeswf -v 7 -s 200x150 -r 1 -o crash-0.6.2-try-and-exception-on-dispose.swf crash-0.6.2-try-and-exception-on-dispose.as
+
+getURL ("fscommand:quit", "");
+
+function boom () {
+  try {
+    return;
+    trace ("hi");
+  } catch (e) {
+  };
+};
+
+boom ();
+throw ("hi");
commit 2cacb713e04a39253b87d2512247e402a5f49bc8
Author: Benjamin Otte <otte at gnome.org>
Date:   Fri Apr 4 10:56:16 2008 +0200

    fix SEGV when collecting frames that are in a try block
    
    ... while the context is in an exception state

diff --git a/swfdec/swfdec_as_context.c b/swfdec/swfdec_as_context.c
index c75f15a..f2b4d09 100644
--- a/swfdec/swfdec_as_context.c
+++ b/swfdec/swfdec_as_context.c
@@ -519,6 +519,9 @@ swfdec_as_context_dispose (GObject *object)
 
   while (context->stack)
     swfdec_as_stack_pop_segment (context);
+  /* We need to make sure there's no exception here. Otherwise collecting 
+   * frames that are inside a try block will assert */
+  swfdec_as_context_catch (context, NULL);
   swfdec_as_context_collect (context);
   if (context->memory != 0) {
     g_critical ("%zu bytes of memory left over\n", context->memory);


More information about the Swfdec-commits mailing list