[Swfdec-commits] 11 commits - swfdec/swfdec_as_context.c swfdec/swfdec_as_object.c swfdec/swfdec_sprite_movie_as.c test/trace
Pekka Lampila
medar at kemper.freedesktop.org
Mon Jul 28 06:58:56 PDT 2008
swfdec/swfdec_as_context.c | 9 ++++++++-
swfdec/swfdec_as_object.c | 10 ++++++++--
swfdec/swfdec_sprite_movie_as.c | 3 +++
test/trace/Makefile.am | 18 ++++++++++++++++++
test/trace/crash-0.6.6-create-object-5.swf |binary
test/trace/crash-0.6.6-create-object-5.swf.trace | 1 +
test/trace/crash-0.6.6-create-object-6.swf |binary
test/trace/crash-0.6.6-create-object-6.swf.trace | 1 +
test/trace/crash-0.6.6-create-object-7.swf |binary
test/trace/crash-0.6.6-create-object-7.swf.trace | 1 +
test/trace/crash-0.6.6-create-object-8.swf |binary
test/trace/crash-0.6.6-create-object-8.swf.trace | 1 +
test/trace/crash-0.6.6-create-object.as | 10 ++++++++++
test/trace/crash-0.6.6-native-constructor-5.swf |binary
test/trace/crash-0.6.6-native-constructor-5.swf.trace | 1 +
test/trace/crash-0.6.6-native-constructor-6.swf |binary
test/trace/crash-0.6.6-native-constructor-6.swf.trace | 1 +
test/trace/crash-0.6.6-native-constructor-7.swf |binary
test/trace/crash-0.6.6-native-constructor-7.swf.trace | 1 +
test/trace/crash-0.6.6-native-constructor-8.swf |binary
test/trace/crash-0.6.6-native-constructor-8.swf.trace | 1 +
test/trace/crash-0.6.6-native-constructor.as | 11 +++++++++++
22 files changed, 66 insertions(+), 3 deletions(-)
New commits:
commit 6ffdda8a4c4bd65fd0a15a47fb4aa559267d7c48
Author: Pekka Lampila <pekka.lampila at iki.fi>
Date: Mon Jul 28 16:53:33 2008 +0300
Add a FIXME comment to swfdec_as_object_create about deciding object's type
diff --git a/swfdec/swfdec_as_object.c b/swfdec/swfdec_as_object.c
index a860d67..a8705ab 100644
--- a/swfdec/swfdec_as_object.c
+++ b/swfdec/swfdec_as_object.c
@@ -1291,6 +1291,10 @@ swfdec_as_object_create (SwfdecAsFunction *fun, guint n_args,
g_return_if_fail (SWFDEC_IS_AS_FUNCTION (fun));
+ // FIXME: The way we decide object's type is wrong
+ // It seems to be actually possible to change the type inside a constructor
+ // (many times) by changing this.__proto__.__constructor__ and calling super
+
context = swfdec_gc_object_get_context (fun);
cur = fun;
i = 0;
commit 0e1f76c47e87301f1759ea3e87d0e7d2fcd66a42
Merge: 11f45c7... dbab97a...
Author: Pekka Lampila <pekka.lampila at iki.fi>
Date: Mon Jul 28 16:49:00 2008 +0300
Merge branch '0.6'
Conflicts:
swfdec/swfdec_as_object.c
test/trace/Makefile.am
diff --cc swfdec/swfdec_as_object.c
index cd543b3,31cb875..a860d67
--- a/swfdec/swfdec_as_object.c
+++ b/swfdec/swfdec_as_object.c
@@@ -1291,8 -1281,9 +1291,9 @@@ swfdec_as_object_create (SwfdecAsFuncti
g_return_if_fail (SWFDEC_IS_AS_FUNCTION (fun));
- context = SWFDEC_AS_OBJECT (fun)->context;
+ context = swfdec_gc_object_get_context (fun);
cur = fun;
+ i = 0;
do {
if (SWFDEC_IS_AS_NATIVE_FUNCTION (cur)) {
SwfdecAsNativeFunction *native = SWFDEC_AS_NATIVE_FUNCTION (cur);
commit dbab97a18f6732e8238eb9c838b6b5b9b66b88c2
Author: Pekka Lampila <pekka.lampila at iki.fi>
Date: Mon Jul 28 16:46:25 2008 +0300
Add a test for crash when native constructor is called with an invalid type
diff --git a/test/trace/Makefile.am b/test/trace/Makefile.am
index 3e997d4..28f6e8d 100644
--- a/test/trace/Makefile.am
+++ b/test/trace/Makefile.am
@@ -754,6 +754,15 @@ EXTRA_DIST = \
crash-0.6.6-date-8.swf \
crash-0.6.6-date-8.swf.trace \
crash-0.6.6-date.as \
+ crash-0.6.6-native-constructor-5.swf \
+ crash-0.6.6-native-constructor-5.swf.trace \
+ crash-0.6.6-native-constructor-6.swf \
+ crash-0.6.6-native-constructor-6.swf.trace \
+ crash-0.6.6-native-constructor-7.swf \
+ crash-0.6.6-native-constructor-7.swf.trace \
+ crash-0.6.6-native-constructor-8.swf \
+ crash-0.6.6-native-constructor-8.swf.trace \
+ crash-0.6.6-native-constructor.as \
crash-0.6.6-prototype-recursion-5.swf \
crash-0.6.6-prototype-recursion-5.swf.trace \
crash-0.6.6-prototype-recursion-6.swf \
diff --git a/test/trace/crash-0.6.6-native-constructor-5.swf b/test/trace/crash-0.6.6-native-constructor-5.swf
new file mode 100644
index 0000000..3996f2a
Binary files /dev/null and b/test/trace/crash-0.6.6-native-constructor-5.swf differ
diff --git a/test/trace/crash-0.6.6-native-constructor-5.swf.trace b/test/trace/crash-0.6.6-native-constructor-5.swf.trace
new file mode 100644
index 0000000..46c38f6
--- /dev/null
+++ b/test/trace/crash-0.6.6-native-constructor-5.swf.trace
@@ -0,0 +1 @@
+Qapla!
diff --git a/test/trace/crash-0.6.6-native-constructor-6.swf b/test/trace/crash-0.6.6-native-constructor-6.swf
new file mode 100644
index 0000000..8b8d496
Binary files /dev/null and b/test/trace/crash-0.6.6-native-constructor-6.swf differ
diff --git a/test/trace/crash-0.6.6-native-constructor-6.swf.trace b/test/trace/crash-0.6.6-native-constructor-6.swf.trace
new file mode 100644
index 0000000..46c38f6
--- /dev/null
+++ b/test/trace/crash-0.6.6-native-constructor-6.swf.trace
@@ -0,0 +1 @@
+Qapla!
diff --git a/test/trace/crash-0.6.6-native-constructor-7.swf b/test/trace/crash-0.6.6-native-constructor-7.swf
new file mode 100644
index 0000000..93819e5
Binary files /dev/null and b/test/trace/crash-0.6.6-native-constructor-7.swf differ
diff --git a/test/trace/crash-0.6.6-native-constructor-7.swf.trace b/test/trace/crash-0.6.6-native-constructor-7.swf.trace
new file mode 100644
index 0000000..46c38f6
--- /dev/null
+++ b/test/trace/crash-0.6.6-native-constructor-7.swf.trace
@@ -0,0 +1 @@
+Qapla!
diff --git a/test/trace/crash-0.6.6-native-constructor-8.swf b/test/trace/crash-0.6.6-native-constructor-8.swf
new file mode 100644
index 0000000..bc1676e
Binary files /dev/null and b/test/trace/crash-0.6.6-native-constructor-8.swf differ
diff --git a/test/trace/crash-0.6.6-native-constructor-8.swf.trace b/test/trace/crash-0.6.6-native-constructor-8.swf.trace
new file mode 100644
index 0000000..46c38f6
--- /dev/null
+++ b/test/trace/crash-0.6.6-native-constructor-8.swf.trace
@@ -0,0 +1 @@
+Qapla!
diff --git a/test/trace/crash-0.6.6-native-constructor.as b/test/trace/crash-0.6.6-native-constructor.as
new file mode 100644
index 0000000..3ce4884
--- /dev/null
+++ b/test/trace/crash-0.6.6-native-constructor.as
@@ -0,0 +1,11 @@
+// makeswf -v 7 -s 200x150 -r 15 -o crash-0.6.6-create-object.swf crash-0.6.6-create-object.as
+
+function Test () {
+ this.__proto__.__constructor__ = Date;
+ super ();
+}
+var t = new Test ();
+
+trace ("Qapla!");
+
+getURL ("fscommand:quit", "");
commit 1fe97ae089cd6161b96dd53dca975888a1f8dcc4
Author: Pekka Lampila <pekka.lampila at iki.fi>
Date: Mon Jul 28 16:44:20 2008 +0300
Don't crash when native constructor is called with an invalid type
Added SWFDEC_FIXME for those cases, because now we will ignore the call, but
that is not the correct thing to do
diff --git a/swfdec/swfdec_as_context.c b/swfdec/swfdec_as_context.c
index 24b25c6..7d0f7f2 100644
--- a/swfdec/swfdec_as_context.c
+++ b/swfdec/swfdec_as_context.c
@@ -840,7 +840,9 @@ start:
SwfdecAsValue rval = { 0, };
if (frame->argc >= native->min_args &&
(native->type == 0 ||
- g_type_is_a (G_OBJECT_TYPE (frame->thisp), native->type))) {
+ g_type_is_a (G_OBJECT_TYPE (frame->thisp), native->type)) &&
+ (!frame->construct || native->construct_type == 0 ||
+ g_type_is_a (G_OBJECT_TYPE (frame->thisp), native->construct_type))) {
SwfdecAsValue *argv;
/* accumulate argv */
if (frame->argc == 0 || frame->argv != NULL) {
@@ -871,6 +873,11 @@ start:
argv, &rval);
if (argv != frame->argv)
g_free (argv);
+ } else {
+ if (frame->construct && native->construct_type != 0 &&
+ !g_type_is_a (G_OBJECT_TYPE (frame->thisp), native->construct_type)) {
+ SWFDEC_FIXME ("Ignoring call to native constructor with invalid type");
+ }
}
swfdec_as_frame_return (frame, &rval);
goto start;
commit eb03c1e9ee0600c8e787845283ac1ca297d3e9a4
Author: Pekka Lampila <pekka.lampila at iki.fi>
Date: Mon Jul 28 14:58:41 2008 +0300
Add a test for the crash with constructors that have a loop in prototype chain
diff --git a/test/trace/Makefile.am b/test/trace/Makefile.am
index f8c6703..3e997d4 100644
--- a/test/trace/Makefile.am
+++ b/test/trace/Makefile.am
@@ -736,6 +736,15 @@ EXTRA_DIST = \
crash-0.6.2-try-and-exception-on-dispose-8.swf \
crash-0.6.2-try-and-exception-on-dispose-8.swf.trace \
crash-0.6.2-try-and-exception-on-dispose.as \
+ crash-0.6.6-create-object-5.swf \
+ crash-0.6.6-create-object-5.swf.trace \
+ crash-0.6.6-create-object-6.swf \
+ crash-0.6.6-create-object-6.swf.trace \
+ crash-0.6.6-create-object-7.swf \
+ crash-0.6.6-create-object-7.swf.trace \
+ crash-0.6.6-create-object-8.swf \
+ crash-0.6.6-create-object-8.swf.trace \
+ crash-0.6.6-create-object.as \
crash-0.6.6-date-5.swf \
crash-0.6.6-date-5.swf.trace \
crash-0.6.6-date-6.swf \
diff --git a/test/trace/crash-0.6.6-create-object-5.swf b/test/trace/crash-0.6.6-create-object-5.swf
new file mode 100644
index 0000000..92f5c39
Binary files /dev/null and b/test/trace/crash-0.6.6-create-object-5.swf differ
diff --git a/test/trace/crash-0.6.6-create-object-5.swf.trace b/test/trace/crash-0.6.6-create-object-5.swf.trace
new file mode 100644
index 0000000..cd770b3
--- /dev/null
+++ b/test/trace/crash-0.6.6-create-object-5.swf.trace
@@ -0,0 +1 @@
+Created:
diff --git a/test/trace/crash-0.6.6-create-object-6.swf b/test/trace/crash-0.6.6-create-object-6.swf
new file mode 100644
index 0000000..0d35c08
Binary files /dev/null and b/test/trace/crash-0.6.6-create-object-6.swf differ
diff --git a/test/trace/crash-0.6.6-create-object-6.swf.trace b/test/trace/crash-0.6.6-create-object-6.swf.trace
new file mode 100644
index 0000000..8074f67
--- /dev/null
+++ b/test/trace/crash-0.6.6-create-object-6.swf.trace
@@ -0,0 +1 @@
+Created: [object Object]
diff --git a/test/trace/crash-0.6.6-create-object-7.swf b/test/trace/crash-0.6.6-create-object-7.swf
new file mode 100644
index 0000000..90f4759
Binary files /dev/null and b/test/trace/crash-0.6.6-create-object-7.swf differ
diff --git a/test/trace/crash-0.6.6-create-object-7.swf.trace b/test/trace/crash-0.6.6-create-object-7.swf.trace
new file mode 100644
index 0000000..8074f67
--- /dev/null
+++ b/test/trace/crash-0.6.6-create-object-7.swf.trace
@@ -0,0 +1 @@
+Created: [object Object]
diff --git a/test/trace/crash-0.6.6-create-object-8.swf b/test/trace/crash-0.6.6-create-object-8.swf
new file mode 100644
index 0000000..beaf873
Binary files /dev/null and b/test/trace/crash-0.6.6-create-object-8.swf differ
diff --git a/test/trace/crash-0.6.6-create-object-8.swf.trace b/test/trace/crash-0.6.6-create-object-8.swf.trace
new file mode 100644
index 0000000..8074f67
--- /dev/null
+++ b/test/trace/crash-0.6.6-create-object-8.swf.trace
@@ -0,0 +1 @@
+Created: [object Object]
diff --git a/test/trace/crash-0.6.6-create-object.as b/test/trace/crash-0.6.6-create-object.as
new file mode 100644
index 0000000..9bbcec9
--- /dev/null
+++ b/test/trace/crash-0.6.6-create-object.as
@@ -0,0 +1,10 @@
+// makeswf -v 7 -s 200x150 -r 15 -o crash-0.6.6-create-object.swf crash-0.6.6-create-object.as
+
+function Evil () {}
+Evil.__constructor__ = Evil;
+Evil.prototype = Evil;
+var e = new Evil ();
+
+trace ("Created: " + e);
+
+getURL ("fscommand:quit", "");
commit d913e9d3993d21cb2f78936c55b65eda32091d70
Author: Pekka Lampila <pekka.lampila at iki.fi>
Date: Mon Jul 28 14:54:03 2008 +0300
Fix an infinite loop when constructor has a loop in it's property chain
swfdec_as_object_create didn't have a limit in prototype recursion when
searching for native constructors. Incidentally it shouldn't search for native
constructors from prototypes at all, but that won't be fixed in the stable
branch
diff --git a/swfdec/swfdec_as_object.c b/swfdec/swfdec_as_object.c
index a16c13b..31cb875 100644
--- a/swfdec/swfdec_as_object.c
+++ b/swfdec/swfdec_as_object.c
@@ -1276,13 +1276,14 @@ swfdec_as_object_create (SwfdecAsFunction *fun, guint n_args,
SwfdecAsContext *context;
SwfdecAsFunction *cur;
SwfdecAsFrame *frame;
- guint size = 0;
+ guint i, size = 0;
GType type = 0;
g_return_if_fail (SWFDEC_IS_AS_FUNCTION (fun));
context = SWFDEC_AS_OBJECT (fun)->context;
cur = fun;
+ i = 0;
do {
if (SWFDEC_IS_AS_NATIVE_FUNCTION (cur)) {
SwfdecAsNativeFunction *native = SWFDEC_AS_NATIVE_FUNCTION (cur);
@@ -1292,6 +1293,7 @@ swfdec_as_object_create (SwfdecAsFunction *fun, guint n_args,
break;
}
}
+ i++;
swfdec_as_object_get_variable (SWFDEC_AS_OBJECT (cur), SWFDEC_AS_STR_prototype, &val);
if (SWFDEC_AS_VALUE_IS_OBJECT (&val)) {
SwfdecAsObject *proto = SWFDEC_AS_VALUE_GET_OBJECT (&val);
@@ -1304,7 +1306,7 @@ swfdec_as_object_create (SwfdecAsFunction *fun, guint n_args,
}
}
cur = NULL;
- } while (type == 0 && cur != NULL);
+ } while (type == 0 && cur != NULL && i < SWFDEC_AS_OBJECT_PROTOTYPE_RECURSION_LIMIT);
if (type == 0) {
type = SWFDEC_TYPE_AS_OBJECT;
size = sizeof (SwfdecAsObject);
commit 11f45c7e3211cea751c9f72a287527b2c85f660c
Author: Pekka Lampila <pekka.lampila at iki.fi>
Date: Mon Jul 28 12:15:17 2008 +0300
Add SWFDEC_FIXME about swapDepths on root movies
diff --git a/swfdec/swfdec_sprite_movie_as.c b/swfdec/swfdec_sprite_movie_as.c
index 95f38b7..973a751 100644
--- a/swfdec/swfdec_sprite_movie_as.c
+++ b/swfdec/swfdec_sprite_movie_as.c
@@ -640,6 +640,9 @@ swfdec_sprite_movie_swapDepths (SwfdecAsContext *cx, SwfdecAsObject *object,
SWFDEC_AS_CHECK (SWFDEC_TYPE_MOVIE, (gpointer)&movie, "v", &value);
+ if (movie->parent == NULL)
+ SWFDEC_FIXME ("swapDepths on root movie, should do something weird");
+
if (SWFDEC_AS_VALUE_IS_OBJECT (&value)) {
other = (SwfdecMovie *) SWFDEC_AS_VALUE_GET_OBJECT (&value);
if (!SWFDEC_IS_MOVIE (other) ||
commit 2aff5f0f408c05017927b6ad01c75a3c31f39a4b
Author: Benjamin Otte <otte at gnome.org>
Date: Wed Jul 16 16:43:04 2008 +0200
Add a test for the Date crash that was just fixed
Conflicts:
test/trace/Makefile.am
diff --git a/test/trace/Makefile.am b/test/trace/Makefile.am
index c0eaa29..f8c6703 100644
--- a/test/trace/Makefile.am
+++ b/test/trace/Makefile.am
@@ -736,6 +736,15 @@ EXTRA_DIST = \
crash-0.6.2-try-and-exception-on-dispose-8.swf \
crash-0.6.2-try-and-exception-on-dispose-8.swf.trace \
crash-0.6.2-try-and-exception-on-dispose.as \
+ crash-0.6.6-date-5.swf \
+ crash-0.6.6-date-5.swf.trace \
+ crash-0.6.6-date-6.swf \
+ crash-0.6.6-date-6.swf.trace \
+ crash-0.6.6-date-7.swf \
+ crash-0.6.6-date-7.swf.trace \
+ crash-0.6.6-date-8.swf \
+ crash-0.6.6-date-8.swf.trace \
+ crash-0.6.6-date.as \
crash-0.6.6-prototype-recursion-5.swf \
crash-0.6.6-prototype-recursion-5.swf.trace \
crash-0.6.6-prototype-recursion-6.swf \
diff --git a/test/trace/crash-0.6.6-date-5.swf b/test/trace/crash-0.6.6-date-5.swf
new file mode 100644
index 0000000..eebd1be
Binary files /dev/null and b/test/trace/crash-0.6.6-date-5.swf differ
diff --git a/test/trace/crash-0.6.6-date-5.swf.trace b/test/trace/crash-0.6.6-date-5.swf.trace
new file mode 100644
index 0000000..af368af
--- /dev/null
+++ b/test/trace/crash-0.6.6-date-5.swf.trace
@@ -0,0 +1 @@
+584
diff --git a/test/trace/crash-0.6.6-date-6.swf b/test/trace/crash-0.6.6-date-6.swf
new file mode 100644
index 0000000..7f4d70c
Binary files /dev/null and b/test/trace/crash-0.6.6-date-6.swf differ
diff --git a/test/trace/crash-0.6.6-date-6.swf.trace b/test/trace/crash-0.6.6-date-6.swf.trace
new file mode 100644
index 0000000..af368af
--- /dev/null
+++ b/test/trace/crash-0.6.6-date-6.swf.trace
@@ -0,0 +1 @@
+584
diff --git a/test/trace/crash-0.6.6-date-7.swf b/test/trace/crash-0.6.6-date-7.swf
new file mode 100644
index 0000000..d9946b6
Binary files /dev/null and b/test/trace/crash-0.6.6-date-7.swf differ
diff --git a/test/trace/crash-0.6.6-date-7.swf.trace b/test/trace/crash-0.6.6-date-7.swf.trace
new file mode 100644
index 0000000..af368af
--- /dev/null
+++ b/test/trace/crash-0.6.6-date-7.swf.trace
@@ -0,0 +1 @@
+584
diff --git a/test/trace/crash-0.6.6-date-8.swf b/test/trace/crash-0.6.6-date-8.swf
new file mode 100644
index 0000000..9e0d206
Binary files /dev/null and b/test/trace/crash-0.6.6-date-8.swf differ
diff --git a/test/trace/crash-0.6.6-date-8.swf.trace b/test/trace/crash-0.6.6-date-8.swf.trace
new file mode 100644
index 0000000..af368af
--- /dev/null
+++ b/test/trace/crash-0.6.6-date-8.swf.trace
@@ -0,0 +1 @@
+584
diff --git a/test/trace/crash-0.6.6-date.as b/test/trace/crash-0.6.6-date.as
new file mode 100644
index 0000000..62ab742
--- /dev/null
+++ b/test/trace/crash-0.6.6-date.as
@@ -0,0 +1,6 @@
+// makeswf -v 7 -s 100x150 -r 15 -o crash-0.6.6-date-7.swf crash-0.6.6-date.as
+
+var d = new Date(3.0935415006117e+23);
+trace (d.getUTCMilliseconds());
+
+getURL ("fscommand:quit", "");
commit 06c6d025800cada45b4f42410ce2b6b1364770b5
Author: Pekka Lampila <pekka.lampila at iki.fi>
Date: Fri Jul 4 00:04:02 2008 +0300
Fix a crash when handling certain really big dates
diff --git a/swfdec/swfdec_as_date.c b/swfdec/swfdec_as_date.c
index 14f1cd9..88bf688 100644
--- a/swfdec/swfdec_as_date.c
+++ b/swfdec/swfdec_as_date.c
@@ -103,28 +103,26 @@ swfdec_as_date_days_in_year (int year)
#define IS_LEAP(year) (swfdec_as_date_days_in_year ((year)) == 366)
static double
-swfdec_as_date_days_since_utc_for_year (int year)
+swfdec_as_date_days_since_utc_for_year (double year)
{
- double year_big = year;
-
- return (
- 365 * (year_big - 1970) +
- floor (((year_big - 1969) / 4.0f)) -
- floor (((year_big - 1901) / 100.0f)) +
- floor (((year_big - 1601) / 400.0f))
+ return floor (
+ 365 * (year - 1970) +
+ floor (((year - 1969) / 4.0f)) -
+ floor (((year - 1901) / 100.0f)) +
+ floor (((year - 1601) / 400.0f))
);
}
-static int
+static double
swfdec_as_date_days_from_utc_to_year (double days)
{
- int low, high, pivot;
+ double low, high, pivot;
low = floor ((days >= 0 ? days / 366.0 : days / 365.0)) + 1970;
high = ceil ((days >= 0 ? days / 365.0 : days / 366.0)) + 1970;
while (low < high) {
- pivot = ((double)low + (double)high) / 2.0;
+ pivot = floor ((low + high) / 2.0);
if (swfdec_as_date_days_since_utc_for_year (pivot) <= days) {
if (swfdec_as_date_days_since_utc_for_year (pivot + 1) > days) {
@@ -145,7 +143,7 @@ swfdec_as_date_milliseconds_to_brokentime (double milliseconds,
BrokenTime *brokentime)
{
double remaining;
- int year;
+ double year;
g_assert (brokentime != NULL);
commit d7cbb6186304848a5bf1ee7de31bb425deb11b12
Author: Benjamin Otte <otte at gnome.org>
Date: Wed Jul 16 16:41:59 2008 +0200
Add a test for the crash fix in last commit (prototype recursion limit)
Conflicts:
test/trace/Makefile.am
diff --git a/test/trace/Makefile.am b/test/trace/Makefile.am
index 5cdb5e0..c0eaa29 100644
--- a/test/trace/Makefile.am
+++ b/test/trace/Makefile.am
@@ -736,6 +736,15 @@ EXTRA_DIST = \
crash-0.6.2-try-and-exception-on-dispose-8.swf \
crash-0.6.2-try-and-exception-on-dispose-8.swf.trace \
crash-0.6.2-try-and-exception-on-dispose.as \
+ crash-0.6.6-prototype-recursion-5.swf \
+ crash-0.6.6-prototype-recursion-5.swf.trace \
+ crash-0.6.6-prototype-recursion-6.swf \
+ crash-0.6.6-prototype-recursion-6.swf.trace \
+ crash-0.6.6-prototype-recursion-7.swf \
+ crash-0.6.6-prototype-recursion-7.swf.trace \
+ crash-0.6.6-prototype-recursion-8.swf \
+ crash-0.6.6-prototype-recursion-8.swf.trace \
+ crash-0.6.6-prototype-recursion.as \
crash-0.6.6-variable-leak-5.swf \
crash-0.6.6-variable-leak-5.swf.trace \
crash-0.6.6-variable-leak-6.swf \
diff --git a/test/trace/crash-0.6.6-prototype-recursion-5.swf b/test/trace/crash-0.6.6-prototype-recursion-5.swf
new file mode 100644
index 0000000..0fc68ff
Binary files /dev/null and b/test/trace/crash-0.6.6-prototype-recursion-5.swf differ
diff --git a/test/trace/crash-0.6.6-prototype-recursion-5.swf.trace b/test/trace/crash-0.6.6-prototype-recursion-5.swf.trace
new file mode 100644
index 0000000..e530efe
--- /dev/null
+++ b/test/trace/crash-0.6.6-prototype-recursion-5.swf.trace
@@ -0,0 +1 @@
+Crash in certain case when prototype recursion limit is exceeded
diff --git a/test/trace/crash-0.6.6-prototype-recursion-6.swf b/test/trace/crash-0.6.6-prototype-recursion-6.swf
new file mode 100644
index 0000000..37c1609
Binary files /dev/null and b/test/trace/crash-0.6.6-prototype-recursion-6.swf differ
diff --git a/test/trace/crash-0.6.6-prototype-recursion-6.swf.trace b/test/trace/crash-0.6.6-prototype-recursion-6.swf.trace
new file mode 100644
index 0000000..e530efe
--- /dev/null
+++ b/test/trace/crash-0.6.6-prototype-recursion-6.swf.trace
@@ -0,0 +1 @@
+Crash in certain case when prototype recursion limit is exceeded
diff --git a/test/trace/crash-0.6.6-prototype-recursion-7.swf b/test/trace/crash-0.6.6-prototype-recursion-7.swf
new file mode 100644
index 0000000..a888b25
Binary files /dev/null and b/test/trace/crash-0.6.6-prototype-recursion-7.swf differ
diff --git a/test/trace/crash-0.6.6-prototype-recursion-7.swf.trace b/test/trace/crash-0.6.6-prototype-recursion-7.swf.trace
new file mode 100644
index 0000000..e530efe
--- /dev/null
+++ b/test/trace/crash-0.6.6-prototype-recursion-7.swf.trace
@@ -0,0 +1 @@
+Crash in certain case when prototype recursion limit is exceeded
diff --git a/test/trace/crash-0.6.6-prototype-recursion-8.swf b/test/trace/crash-0.6.6-prototype-recursion-8.swf
new file mode 100644
index 0000000..4649818
Binary files /dev/null and b/test/trace/crash-0.6.6-prototype-recursion-8.swf differ
diff --git a/test/trace/crash-0.6.6-prototype-recursion-8.swf.trace b/test/trace/crash-0.6.6-prototype-recursion-8.swf.trace
new file mode 100644
index 0000000..e530efe
--- /dev/null
+++ b/test/trace/crash-0.6.6-prototype-recursion-8.swf.trace
@@ -0,0 +1 @@
+Crash in certain case when prototype recursion limit is exceeded
diff --git a/test/trace/crash-0.6.6-prototype-recursion.as b/test/trace/crash-0.6.6-prototype-recursion.as
new file mode 100644
index 0000000..3147e4e
--- /dev/null
+++ b/test/trace/crash-0.6.6-prototype-recursion.as
@@ -0,0 +1,11 @@
+// makeswf -v 7 -r 15 -o crash-0.6.6-prototype-recursion.swf crash-0.6.6-prototype-recursion.as
+
+trace ("Crash in certain case when prototype recursion limit is exceeded");
+
+function get () { return "hello"; };
+function set () { };
+
+var a = {};
+a.__proto__.__proto__ = {};
+a.__proto__.__proto__.addProperty ("test", get, set);
+a.test = "hello2";
commit 2c8cc8341b1e37483ed1e799c23a29ae0f179095
Author: Pekka Lampila <pekka.lampila at iki.fi>
Date: Wed Jul 9 13:05:50 2008 +0300
Fix setting value when getting a variable and prototype recursion limit is hit
This could cause a crash
diff --git a/swfdec/swfdec_as_object.c b/swfdec/swfdec_as_object.c
index e574c1a..a16c13b 100644
--- a/swfdec/swfdec_as_object.c
+++ b/swfdec/swfdec_as_object.c
@@ -958,6 +958,7 @@ swfdec_as_object_get_variable_and_flags (SwfdecAsObject *object,
}
if (i > SWFDEC_AS_OBJECT_PROTOTYPE_RECURSION_LIMIT) {
swfdec_as_context_abort (object->context, "Prototype recursion limit exceeded");
+ SWFDEC_AS_VALUE_SET_UNDEFINED (value);
*flags = 0;
*pobject = NULL;
return FALSE;
More information about the Swfdec-commits
mailing list