[Swfdec] 15 commits - libswfdec/jpeg libswfdec/swfdec_bits.c
libswfdec/swfdec_edittext.c libswfdec/swfdec_font.c
libswfdec/swfdec_image.c libswfdec/swfdec_root_sprite.c
libswfdec/swfdec_script.c libswfdec/swfdec_shape.c
libswfdec/swfdec_sprite.c
Benjamin Otte
company at kemper.freedesktop.org
Tue Apr 17 04:36:57 PDT 2007
libswfdec/jpeg/jpeg.c | 3 +++
libswfdec/swfdec_bits.c | 18 ++++++++++++++++--
libswfdec/swfdec_edittext.c | 3 ++-
libswfdec/swfdec_font.c | 30 ++++++++++++++++++++++++------
libswfdec/swfdec_image.c | 30 ++++++++++++++----------------
libswfdec/swfdec_root_sprite.c | 2 +-
libswfdec/swfdec_script.c | 19 +++++++++----------
libswfdec/swfdec_shape.c | 11 ++++++-----
libswfdec/swfdec_sprite.c | 6 ++++--
9 files changed, 79 insertions(+), 43 deletions(-)
New commits:
diff-tree de1a29a1b62e30df5cb4a26fe192efd44db98bec (from 4ecf6f08ab585cbf8089373cb6535d5e3e3493fc)
Author: Benjamin Otte <otte at gnome.org>
Date: Tue Apr 17 13:13:48 2007 +0200
break the ExportAssets loop if no more bytes are available
diff --git a/libswfdec/swfdec_root_sprite.c b/libswfdec/swfdec_root_sprite.c
index 7159927..41e8b31 100644
--- a/libswfdec/swfdec_root_sprite.c
+++ b/libswfdec/swfdec_root_sprite.c
@@ -117,7 +117,7 @@ tag_func_export_assets (SwfdecSwfDecoder
count = swfdec_bits_get_u16 (bits);
SWFDEC_LOG ("exporting %u assets", count);
- for (i = 0; i < count; i++) {
+ for (i = 0; i < count && swfdec_bits_left (bits); i++) {
guint id;
SwfdecCharacter *object;
char *name;
diff-tree 4ecf6f08ab585cbf8089373cb6535d5e3e3493fc (from 09b659302736f9b00db64a1586703de7fe8f7344)
Author: Benjamin Otte <otte at gnome.org>
Date: Tue Apr 17 12:40:39 2007 +0200
break out of loop if no more bits are available
this avoids long erroneous loops when the number of styles in
the file has been corrupted
diff --git a/libswfdec/swfdec_shape.c b/libswfdec/swfdec_shape.c
index 3aa5053..ac2491e 100644
--- a/libswfdec/swfdec_shape.c
+++ b/libswfdec/swfdec_shape.c
@@ -329,7 +329,7 @@ swfdec_shape_add_styles (SwfdecSwfDecode
n_fill_styles = swfdec_bits_get_u16 (bits);
}
SWFDEC_LOG (" n_fill_styles %d", n_fill_styles);
- for (i = 0; i < n_fill_styles; i++) {
+ for (i = 0; i < n_fill_styles && swfdec_bits_left (bits); i++) {
SwfdecPattern *pattern;
SWFDEC_LOG (" fill style %d:", i);
@@ -344,7 +344,7 @@ swfdec_shape_add_styles (SwfdecSwfDecode
n_line_styles = swfdec_bits_get_u16 (bits);
}
SWFDEC_LOG (" n_line_styles %d", n_line_styles);
- for (i = 0; i < n_line_styles; i++) {
+ for (i = 0; i < n_line_styles && swfdec_bits_left (bits); i++) {
g_ptr_array_add (shape->lines, parse_stroke (s));
}
diff-tree 09b659302736f9b00db64a1586703de7fe8f7344 (from b498ba186ab9d587cc087ae9ab5952f1d5b2865a)
Author: Benjamin Otte <otte at gnome.org>
Date: Tue Apr 17 12:36:33 2007 +0200
it's not this code's job to syncbits
diff --git a/libswfdec/swfdec_shape.c b/libswfdec/swfdec_shape.c
index a81b389..3aa5053 100644
--- a/libswfdec/swfdec_shape.c
+++ b/libswfdec/swfdec_shape.c
@@ -338,7 +338,6 @@ swfdec_shape_add_styles (SwfdecSwfDecode
g_ptr_array_add (shape->fills, pattern);
}
- swfdec_bits_syncbits (bits);
shape->lines_offset = shape->lines->len;
n_line_styles = swfdec_bits_get_u8 (bits);
if (n_line_styles == 0xff) {
@@ -349,7 +348,6 @@ swfdec_shape_add_styles (SwfdecSwfDecode
g_ptr_array_add (shape->lines, parse_stroke (s));
}
- swfdec_bits_syncbits (bits);
shape->n_fill_bits = swfdec_bits_getbits (bits, 4);
shape->n_line_bits = swfdec_bits_getbits (bits, 4);
}
diff-tree b498ba186ab9d587cc087ae9ab5952f1d5b2865a (from 45c89c3d902be858a304539165d1160e822fba52)
Author: Benjamin Otte <otte at gnome.org>
Date: Tue Apr 17 12:19:27 2007 +0200
avoid overflow issues when bytes is near MAXUINT
diff --git a/libswfdec/swfdec_bits.c b/libswfdec/swfdec_bits.c
index 8eef225..0f7e4c9 100644
--- a/libswfdec/swfdec_bits.c
+++ b/libswfdec/swfdec_bits.c
@@ -95,7 +95,9 @@ swfdec_bits_init_bits (SwfdecBits *bits,
bits->buffer = from->buffer;
bits->ptr = from->ptr;
- bits->end = MIN (bits->ptr + bytes, from->end);
+ if (bytes > (guint) (from->end - from->ptr))
+ bytes = from->end - from->ptr;
+ bits->end = bits->ptr + bytes;
bits->idx = 0;
from->ptr = bits->end;
}
diff-tree 45c89c3d902be858a304539165d1160e822fba52 (from 36a3f8c38831112cb93caeb3fdf5ab3214fbb859)
Author: Benjamin Otte <otte at gnome.org>
Date: Tue Apr 17 12:12:11 2007 +0200
movies without a rate don't have sound
diff --git a/libswfdec/swfdec_sprite.c b/libswfdec/swfdec_sprite.c
index f3ad17d..19c1442 100644
--- a/libswfdec/swfdec_sprite.c
+++ b/libswfdec/swfdec_sprite.c
@@ -562,8 +562,10 @@ swfdec_sprite_set_n_frames (SwfdecSprite
sprite->frames = g_new0 (SwfdecSpriteFrame, n_frames);
sprite->n_frames = n_frames;
- for (i = 0; i < n_frames; i++) {
- sprite->frames[i].sound_samples = 44100 * 256 / rate;
+ if (rate > 0) {
+ for (i = 0; i < n_frames; i++) {
+ sprite->frames[i].sound_samples = 44100 * 256 / rate;
+ }
}
SWFDEC_LOG ("n_frames = %d", sprite->n_frames);
diff-tree 36a3f8c38831112cb93caeb3fdf5ab3214fbb859 (from 79da14950862c8c92669a9091edf0daf33792588)
Author: Benjamin Otte <otte at gnome.org>
Date: Tue Apr 17 12:11:48 2007 +0200
only convert variable names if they exist
diff --git a/libswfdec/swfdec_edittext.c b/libswfdec/swfdec_edittext.c
index 151feb2..e89c8f5 100644
--- a/libswfdec/swfdec_edittext.c
+++ b/libswfdec/swfdec_edittext.c
@@ -76,7 +76,8 @@ swfdec_edit_text_parse_variable (SwfdecE
return;
}
/* FIXME: check the variable for valid identifiers */
- if (strchr (text->variable, '/')) {
+ if (text->variable &&
+ strchr (text->variable, '/')) {
char *ret = swfdec_js_slash_to_dot (text->variable);
g_free (text->variable);
text->variable = ret;
diff-tree 79da14950862c8c92669a9091edf0daf33792588 (from 3f4fa05395690c80c19ead02027ee4beb71f9f2d)
Author: Benjamin Otte <otte at gnome.org>
Date: Tue Apr 17 12:07:49 2007 +0200
Fix various failures to sanely read buffers
diff --git a/libswfdec/swfdec_image.c b/libswfdec/swfdec_image.c
index 612b52b..6d15e27 100644
--- a/libswfdec/swfdec_image.c
+++ b/libswfdec/swfdec_image.c
@@ -122,9 +122,7 @@ tag_func_define_bits_jpeg (SwfdecSwfDeco
} else {
image->jpegtables = swfdec_buffer_ref (s->jpegtables);
}
- image->raw_data = swfdec_buffer_ref (bits->buffer);
-
- bits->ptr += bits->buffer->length - 2;
+ image->raw_data = swfdec_bits_get_buffer (bits, -1);
return SWFDEC_STATUS_OK;
}
@@ -146,14 +144,14 @@ swfdec_image_jpeg_load (SwfdecImage *ima
jpeg_decoder_addbits (dec, image->jpegtables->data,
image->jpegtables->length);
}
- if (image->raw_data->data[2] != 0xff || image->raw_data->data[3] != 0xd8) {
+ if (image->raw_data->data[0] != 0xff || image->raw_data->data[1] != 0xd8) {
SWFDEC_ERROR("not jpeg %02x %02x",
- image->raw_data->data[2], image->raw_data->data[3]);
+ image->raw_data->data[0], image->raw_data->data[1]);
jpeg_decoder_free (dec);
return;
}
- jpeg_decoder_addbits (dec, image->raw_data->data + 2,
- image->raw_data->length - 2);
+ jpeg_decoder_addbits (dec, image->raw_data->data,
+ image->raw_data->length);
jpeg_decoder_parse (dec);
jpeg_decoder_get_image_size (dec, &image->width, &image->height);
if (image->width == 0 || image->height == 0) {
@@ -184,9 +182,7 @@ tag_func_define_bits_jpeg_2 (SwfdecSwfDe
return SWFDEC_STATUS_OK;
image->type = SWFDEC_IMAGE_TYPE_JPEG2;
- image->raw_data = swfdec_buffer_ref (bits->buffer);
-
- bits->ptr += bits->buffer->length - 2;
+ image->raw_data = swfdec_bits_get_buffer (bits, -1);
return SWFDEC_STATUS_OK;
}
@@ -198,14 +194,14 @@ swfdec_image_jpeg2_load (SwfdecImage *im
dec = jpeg_decoder_new ();
- if (image->raw_data->data[2] != 0xff || image->raw_data->data[3] != 0xd8) {
+ if (image->raw_data->data[0] != 0xff || image->raw_data->data[1] != 0xd8) {
SWFDEC_ERROR("not jpeg %02x %02x",
- image->raw_data->data[2], image->raw_data->data[3]);
+ image->raw_data->data[0], image->raw_data->data[1]);
jpeg_decoder_free (dec);
return;
}
- jpeg_decoder_addbits (dec, image->raw_data->data + 2,
- image->raw_data->length - 2);
+ jpeg_decoder_addbits (dec, image->raw_data->data,
+ image->raw_data->length);
jpeg_decoder_parse (dec);
jpeg_decoder_get_image_size (dec, &image->width, &image->height);
if (image->width == 0 || image->height == 0) {
@@ -539,6 +535,9 @@ swfdec_image_colormap_decode (SwfdecImag
static gboolean
swfdec_image_ensure_loaded (SwfdecImage *image)
{
+ if (image->raw_data == NULL)
+ return FALSE;
+
if (image->data == NULL) {
switch (image->type) {
case SWFDEC_IMAGE_TYPE_JPEG:
diff-tree 3f4fa05395690c80c19ead02027ee4beb71f9f2d (from d7461508e0d76b7eaa89cc67427f8415884d29f7)
Author: Benjamin Otte <otte at gnome.org>
Date: Tue Apr 17 12:07:21 2007 +0200
handle morph shape offset sanely
diff --git a/libswfdec/swfdec_shape.c b/libswfdec/swfdec_shape.c
index 3792582..a81b389 100644
--- a/libswfdec/swfdec_shape.c
+++ b/libswfdec/swfdec_shape.c
@@ -1038,7 +1038,10 @@ tag_define_morph_shape (SwfdecSwfDecoder
swfdec_bits_get_rect (bits, &morph->end_extents);
offset = swfdec_bits_get_u32 (bits);
end_bits = *bits;
- end_bits.ptr += offset;
+ if (swfdec_bits_skip_bytes (&end_bits, offset) != offset) {
+ SWFDEC_ERROR ("wrong offset in DefineMorphShape");
+ return SWFDEC_STATUS_OK;
+ }
bits->end = end_bits.ptr;
swfdec_shape_add_styles (s, SWFDEC_SHAPE (morph),
diff-tree d7461508e0d76b7eaa89cc67427f8415884d29f7 (from 42e6df0df9df1b028752c6afe2632008e3378bdc)
Author: Benjamin Otte <otte at gnome.org>
Date: Tue Apr 17 11:46:17 2007 +0200
sanely skip offsets in DefineFont2
diff --git a/libswfdec/swfdec_font.c b/libswfdec/swfdec_font.c
index c626104..c0562b1 100644
--- a/libswfdec/swfdec_font.c
+++ b/libswfdec/swfdec_font.c
@@ -289,6 +289,7 @@ tag_func_define_font_2 (SwfdecSwfDecoder
int font_descent;
int font_leading;
int i;
+ guint skip;
id = swfdec_bits_get_u16 (bits);
font = swfdec_swf_decoder_create_character (s, id, SWFDEC_TYPE_FONT);
@@ -318,10 +319,18 @@ tag_func_define_font_2 (SwfdecSwfDecoder
n_glyphs = swfdec_bits_get_u16 (bits);
if (wide_offsets) {
- bits->ptr += 4 * n_glyphs;
+ skip = 4 * n_glyphs;
+ if (swfdec_bits_skip_bytes (bits, skip) != skip) {
+ SWFDEC_ERROR ("could not skip %u bytes", skip);
+ return SWFDEC_STATUS_OK;
+ }
code_table_offset = swfdec_bits_get_u32 (bits);
} else {
- bits->ptr += 2 * n_glyphs;
+ skip = 2 * n_glyphs;
+ if (swfdec_bits_skip_bytes (bits, skip) != skip) {
+ SWFDEC_ERROR ("could not skip %u bytes", skip);
+ return SWFDEC_STATUS_OK;
+ }
code_table_offset = swfdec_bits_get_u16 (bits);
}
diff-tree 42e6df0df9df1b028752c6afe2632008e3378bdc (from f8d83577ae0fca8a750b0ff309faaf205cbe87cc)
Author: Benjamin Otte <otte at gnome.org>
Date: Tue Apr 17 11:35:50 2007 +0200
fix swfcdec_script_new to not touch the SwfdecBits struct directly
diff --git a/libswfdec/swfdec_script.c b/libswfdec/swfdec_script.c
index 5163ce7..d675207 100644
--- a/libswfdec/swfdec_script.c
+++ b/libswfdec/swfdec_script.c
@@ -2731,7 +2731,8 @@ SwfdecScript *
swfdec_script_new (SwfdecBits *bits, const char *name, guint version)
{
SwfdecScript *script;
- const guchar *start;
+ SwfdecBits org;
+ guint len;
g_return_val_if_fail (bits != NULL, NULL);
@@ -2740,8 +2741,8 @@ swfdec_script_new (SwfdecBits *bits, con
return NULL;
}
- swfdec_bits_syncbits (bits);
- start = bits->ptr;
+ org = *bits;
+ len = swfdec_bits_left (bits) / 8;
script = g_new0 (SwfdecScript, 1);
script->refcount = 1;
script->name = g_strdup (name ? name : "Unnamed script");
@@ -2750,15 +2751,12 @@ swfdec_script_new (SwfdecBits *bits, con
* DefineFunction and friends override this */
script->flags = SWFDEC_SCRIPT_SUPPRESS_ARGS;
- if (!swfdec_script_foreach_internal (bits, validate_action, script)) {
- /* assign a random buffer here so we have something to unref */
- script->buffer = bits->buffer;
- swfdec_buffer_ref (script->buffer);
+ if (!swfdec_script_foreach_internal (bits, validate_action, script) ||
+ (len -= swfdec_bits_left (bits) / 8) == 0) {
swfdec_script_unref (script);
return NULL;
}
- script->buffer = swfdec_buffer_new_subbuffer (bits->buffer, start - bits->buffer->data,
- bits->ptr - start);
+ script->buffer = swfdec_bits_get_buffer (&org, len);
return script;
}
@@ -2785,7 +2783,8 @@ swfdec_script_unref (SwfdecScript *scrip
if (script->refcount > 0)
return;
- swfdec_buffer_unref (script->buffer);
+ if (script->buffer)
+ swfdec_buffer_unref (script->buffer);
if (script->constant_pool)
swfdec_buffer_unref (script->constant_pool);
g_free (script->name);
diff-tree f8d83577ae0fca8a750b0ff309faaf205cbe87cc (from 0fecc667a7f73138a1e16b12a0c9c7f4081d369c)
Author: Benjamin Otte <otte at gnome.org>
Date: Tue Apr 17 11:35:21 2007 +0200
handle 0 bytes of input gracefully
diff --git a/libswfdec/jpeg/jpeg.c b/libswfdec/jpeg/jpeg.c
index 216d8a5..228a4d8 100644
--- a/libswfdec/jpeg/jpeg.c
+++ b/libswfdec/jpeg/jpeg.c
@@ -780,6 +780,9 @@ jpeg_decoder_addbits (JpegDecoder * dec,
{
unsigned int offset;
+ if (len == 0)
+ return 0;
+
#if 0
{
static int index = 0;
diff-tree 0fecc667a7f73138a1e16b12a0c9c7f4081d369c (from 56fd58406827a35ff524eb9340d07602e819e6f2)
Author: Benjamin Otte <otte at gnome.org>
Date: Tue Apr 17 11:34:56 2007 +0200
clarify beahviour of swfdec_bits_get_buffer
diff --git a/libswfdec/swfdec_bits.c b/libswfdec/swfdec_bits.c
index 11df1ba..8eef225 100644
--- a/libswfdec/swfdec_bits.c
+++ b/libswfdec/swfdec_bits.c
@@ -646,7 +646,8 @@ swfdec_bits_get_rect (SwfdecBits * bits,
* @len: length of buffer or -1 for maximum
*
* Gets the contents of the next @len bytes of @bits and buts them in a new
- * subbuffer.
+ * subbuffer. If @len is 0 (or @len is -1 and no more data is available), this
+ * is considered a reading error and %NULL is returned.
*
* Returns: the new #SwfdecBuffer or NULL if the requested amount of data
* isn't available
diff-tree 56fd58406827a35ff524eb9340d07602e819e6f2 (from a490ca007d4158f6989c3b9d858e8703a0c69fbf)
Author: Benjamin Otte <otte at gnome.org>
Date: Tue Apr 17 11:12:46 2007 +0200
read font names sanely
diff --git a/libswfdec/swfdec_font.c b/libswfdec/swfdec_font.c
index 0aca1d5..c626104 100644
--- a/libswfdec/swfdec_font.c
+++ b/libswfdec/swfdec_font.c
@@ -93,6 +93,7 @@ swfdec_font_get_glyph (SwfdecFont * font
return g_array_index (font->glyphs, SwfdecFontEntry, glyph).shape;
}
+#if 0
static char *
convert_from_language (const char *s, SwfdecLanguage language)
{
@@ -120,6 +121,7 @@ convert_from_language (const char *s, Sw
SWFDEC_ERROR ("given text is not in language %s", langcode);
return ret;
}
+#endif
int
tag_func_define_font_info (SwfdecSwfDecoder *s, guint version)
@@ -158,7 +160,6 @@ tag_func_define_font_info (SwfdecSwfDeco
wide = swfdec_bits_getbit (&s->b);
if (version > 1)
language = swfdec_bits_get_u8 (&s->b);
- font->name = convert_from_language (name, language);
g_free (name);
if (font->name) {
SWFDEC_LOG ("Creating font description for font %d", id);
@@ -308,8 +309,12 @@ tag_func_define_font_2 (SwfdecSwfDecoder
SWFDEC_DEBUG("langcode %d", langcode);
font_name_len = swfdec_bits_get_u8 (bits);
- //font_name =
- bits->ptr += font_name_len;
+ font->name = swfdec_bits_get_string_length (bits, font_name_len);
+ if (font->name == NULL) {
+ SWFDEC_ERROR ("error reading font name");
+ } else {
+ SWFDEC_LOG (" font name = %s", font->name);
+ }
n_glyphs = swfdec_bits_get_u16 (bits);
if (wide_offsets) {
@@ -397,7 +402,11 @@ tag_func_define_font_3 (SwfdecSwfDecoder
SWFDEC_LOG (" language = %u", (guint) language);
len = swfdec_bits_get_u8 (&s->b);
font->name = swfdec_bits_get_string_length (&s->b, len);
- SWFDEC_LOG (" name = %s", font->name);
+ if (font->name == NULL) {
+ SWFDEC_ERROR ("error reading font name");
+ } else {
+ SWFDEC_LOG (" font name = %s", font->name);
+ }
n_glyphs = swfdec_bits_get_u16 (&s->b);
SWFDEC_LOG (" n_glyphs = %u", n_glyphs);
diff-tree a490ca007d4158f6989c3b9d858e8703a0c69fbf (from 26c7b2f2b16edc2c7f9f044deee8fbc06743fee7)
Author: Benjamin Otte <otte at gnome.org>
Date: Tue Apr 17 11:12:34 2007 +0200
use swfdec_bits_get_buffer instead of manually fuzzing with the SwfdecBits structure
diff --git a/libswfdec/swfdec_image.c b/libswfdec/swfdec_image.c
index 69a3f17..612b52b 100644
--- a/libswfdec/swfdec_image.c
+++ b/libswfdec/swfdec_image.c
@@ -96,8 +96,7 @@ swfdec_image_jpegtables (SwfdecSwfDecode
SWFDEC_DEBUG ("swfdec_image_jpegtables");
- s->jpegtables = swfdec_buffer_ref (bits->buffer);
- bits->ptr += bits->buffer->length;
+ s->jpegtables = swfdec_bits_get_buffer (bits, -1);
return SWFDEC_STATUS_OK;
}
diff-tree 26c7b2f2b16edc2c7f9f044deee8fbc06743fee7 (from 04113e5a83386f59140f248a817f7bf8d6728ddb)
Author: Benjamin Otte <otte at gnome.org>
Date: Tue Apr 17 11:00:41 2007 +0200
make swfdec_bits_get_string_length read 0-byte strings
diff --git a/libswfdec/swfdec_bits.c b/libswfdec/swfdec_bits.c
index 6e25cf7..11df1ba 100644
--- a/libswfdec/swfdec_bits.c
+++ b/libswfdec/swfdec_bits.c
@@ -521,11 +521,22 @@ swfdec_bits_skip_bytes (SwfdecBits *bits
return n_bytes;
}
+/**
+ * swfdec_bits_get_string_length:
+ * @bits: a #SwfdecBits
+ * @len: number of bytes to read
+ *
+ * Reads the next @len bytes into a string and validates it as UTF-8.
+ *
+ * Returns: a new string or %NULL on error
+ **/
char *
swfdec_bits_get_string_length (SwfdecBits * bits, guint len)
{
char *ret;
+ if (len == 0)
+ return g_strdup ("");
SWFDEC_BYTES_CHECK (bits, len);
ret = g_strndup ((char *) bits->ptr, len);
More information about the Swfdec
mailing list