liangsheng8708
/
ruffle
mirror of https://mirror.ghproxy.com/https://github.com/ruffle-rs/ruffle.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

`read_i32` no longer panics if more than 28 bits are defined within the read-in integer constant. 

The underlying problem is actually shift overflow - on the fifth byte in the sequence, it attempts to mask bits by shifting them off the left of the value, which doesn't work here, as we'll be shifting by -3. For those unaware, shifting by a negative does NOT shift in the opposite direction, it instead gives your C compiler permission to stuff demons up your nose.

I wouldn't be surprised if this is just outright UB in Flash Player.
This commit is contained in:
David Wendt 2020-06-25 23:54:42 -04:00 committed by Mike Welsh
parent 351fe026e9
commit 345a244ed4
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
swf/src/avm2/read.rs
View File

@ -112,9 +112,13 @@ impl<R: Read> Reader<R> {
let byte: i32 = self.read_u8()?.into();
n |= (byte & 0b0111_1111) << i;
i += 7;
if byte & 0b1000_0000 == 0 {
n <<= 32 - i;
n >>= 32 - i;
if i < 32 {
n <<= 32 - i;
n >>= 32 - i;
}
break;
}
}