swf: Fix underflow in parsing corrupt DefineButton2 tags
401799_pre_Scene_1.swf has a DefineButton2 tag with an invalid CondActionSize field (it should be at least 4). It's unclear how Flash handles this. For now, avoid the underflow and return an error instead. Fixes #92.
This commit is contained in:
parent
7a5b2607d4
commit
d9facdd89b
|
@ -1031,11 +1031,17 @@ impl<R: Read> Reader<R> {
|
|||
conditions.insert(ButtonActionCondition::KeyPress);
|
||||
}
|
||||
let mut action_data = Vec::with_capacity(length as usize);
|
||||
if length > 0 {
|
||||
if length > 4 {
|
||||
action_data.resize(length as usize - 4, 0);
|
||||
self.input.read_exact(&mut action_data)?;
|
||||
} else {
|
||||
} else if length == 0 {
|
||||
// Last action, read to end.
|
||||
self.input.read_to_end(&mut action_data)?;
|
||||
} else {
|
||||
// Some SWFs have phantom action records with an invalid length.
|
||||
// See 401799_pre_Scene_1.swf
|
||||
// TODO: How does Flash handle this?
|
||||
return Err(Error::invalid_data("Button action length is too short"));
|
||||
}
|
||||
Ok((
|
||||
ButtonAction {
|
||||
|
|
Loading…
Reference in New Issue