liangsheng8708
/
ruffle
mirror of https://mirror.ghproxy.com/https://github.com/ruffle-rs/ruffle.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

swf: Fix underflow in parsing corrupt DefineButton2 tags 

401799_pre_Scene_1.swf has a DefineButton2 tag with an invalid
CondActionSize field (it should be at least 4). It's unclear how
Flash handles this. For now, avoid the underflow and return an
error instead.

Fixes #92.
This commit is contained in:
Mike Welsh 2019-10-11 17:47:20 -07:00
parent 7a5b2607d4
commit d9facdd89b
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
swf/src/read.rs
View File

@ -1031,11 +1031,17 @@ impl<R: Read> Reader<R> {
conditions.insert(ButtonActionCondition::KeyPress); conditions.insert(ButtonActionCondition::KeyPress);
} }
let mut action_data = Vec::with_capacity(length as usize); let mut action_data = Vec::with_capacity(length as usize);
if length > 0 { if length > 4 {
action_data.resize(length as usize - 4, 0); action_data.resize(length as usize - 4, 0);
self.input.read_exact(&mut action_data)?; self.input.read_exact(&mut action_data)?;
} else { } else if length == 0 {
// Last action, read to end.
self.input.read_to_end(&mut action_data)?; self.input.read_to_end(&mut action_data)?;
} else {
// Some SWFs have phantom action records with an invalid length.
// See 401799_pre_Scene_1.swf
// TODO: How does Flash handle this?
return Err(Error::invalid_data("Button action length is too short"));
} }
Ok(( Ok((
ButtonAction { ButtonAction {