From 2e0bc78cd6f9b381c0b2dcc8459ceedac9562bb1 Mon Sep 17 00:00:00 2001
From: relrelb <relrelbachar@gmail.com>
Date: Sat, 1 May 2021 15:11:36 +0300
Subject: [PATCH] avm1: Fix variadic arguments

Previously, if the arguments count was greater than the actual
stack size, then a stack underflow occurred which resulted in a
sequence of undefined values. That didn't match Flash's behavior.

Also, this prevents potential huge allocations that hang Ruffle.

In addition, num_args seems like it should use coerce_to_u32
(wraps at 4294967297). This also means that -1 ends up acting like
u32::MAX and would pop all values off of the stack.
---
 core/src/avm1/activation.rs | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/core/src/avm1/activation.rs b/core/src/avm1/activation.rs
index 8f17e9f33..220fef62c 100644
--- a/core/src/avm1/activation.rs
+++ b/core/src/avm1/activation.rs
@@ -804,7 +804,8 @@ impl<'a, 'gc, 'gc_context> Activation<'a, 'gc, 'gc_context> {
     fn action_call_function(&mut self) -> Result<FrameControl<'gc>, Error<'gc>> {
         let fn_name_value = self.context.avm1.pop();
         let fn_name = fn_name_value.coerce_to_string(self)?;
-        let num_args = self.context.avm1.pop().coerce_to_f64(self)? as usize; // TODO(Herschel): max arg count?
+        let num_args = self.context.avm1.pop().coerce_to_u32(self)? as usize; // TODO(Herschel): max arg count?
+        let num_args = num_args.min(self.context.avm1.stack.len());
         let mut args = Vec::with_capacity(num_args);
         for _ in 0..num_args {
             args.push(self.context.avm1.pop());
@@ -830,7 +831,8 @@ impl<'a, 'gc, 'gc_context> Activation<'a, 'gc, 'gc_context> {
     fn action_call_method(&mut self) -> Result<FrameControl<'gc>, Error<'gc>> {
         let method = self.context.avm1.pop();
         let object_val = self.context.avm1.pop();
-        let num_args = self.context.avm1.pop().coerce_to_f64(self)? as usize; // TODO(Herschel): max arg count?
+        let num_args = self.context.avm1.pop().coerce_to_u32(self)? as usize; // TODO(Herschel): max arg count?
+        let num_args = num_args.min(self.context.avm1.stack.len());
         let mut args = Vec::with_capacity(num_args);
         for _ in 0..num_args {
             args.push(self.context.avm1.pop());
@@ -1686,7 +1688,8 @@ impl<'a, 'gc, 'gc_context> Activation<'a, 'gc, 'gc_context> {
     fn action_new_method(&mut self) -> Result<FrameControl<'gc>, Error<'gc>> {
         let method_name = self.context.avm1.pop();
         let object_val = self.context.avm1.pop();
-        let num_args = self.context.avm1.pop().coerce_to_f64(self)? as usize;
+        let num_args = self.context.avm1.pop().coerce_to_u32(self)? as usize;
+        let num_args = num_args.min(self.context.avm1.stack.len());
         let mut args = Vec::with_capacity(num_args);
         for _ in 0..num_args {
             args.push(self.context.avm1.pop());
@@ -1719,7 +1722,8 @@ impl<'a, 'gc, 'gc_context> Activation<'a, 'gc, 'gc_context> {
     fn action_new_object(&mut self) -> Result<FrameControl<'gc>, Error<'gc>> {
         let fn_name_val = self.context.avm1.pop();
         let fn_name = fn_name_val.coerce_to_string(self)?;
-        let num_args = self.context.avm1.pop().coerce_to_f64(self)? as usize;
+        let num_args = self.context.avm1.pop().coerce_to_u32(self)? as usize;
+        let num_args = num_args.min(self.context.avm1.stack.len());
         let mut args = Vec::with_capacity(num_args);
         for _ in 0..num_args {
             args.push(self.context.avm1.pop());