swf: Fix underflow in parsing corrupt DefineButton2 tags
401799_pre_Scene_1.swf has a DefineButton2 tag with an invalid CondActionSize field (it should be at least 4). It's unclear how Flash handles this. For now, avoid the underflow and return an error instead. Fixes #92.
This commit is contained in:
parent
7a5b2607d4
commit
d9facdd89b
|
@ -1031,11 +1031,17 @@ impl<R: Read> Reader<R> {
|
||||||
conditions.insert(ButtonActionCondition::KeyPress);
|
conditions.insert(ButtonActionCondition::KeyPress);
|
||||||
}
|
}
|
||||||
let mut action_data = Vec::with_capacity(length as usize);
|
let mut action_data = Vec::with_capacity(length as usize);
|
||||||
if length > 0 {
|
if length > 4 {
|
||||||
action_data.resize(length as usize - 4, 0);
|
action_data.resize(length as usize - 4, 0);
|
||||||
self.input.read_exact(&mut action_data)?;
|
self.input.read_exact(&mut action_data)?;
|
||||||
} else {
|
} else if length == 0 {
|
||||||
|
// Last action, read to end.
|
||||||
self.input.read_to_end(&mut action_data)?;
|
self.input.read_to_end(&mut action_data)?;
|
||||||
|
} else {
|
||||||
|
// Some SWFs have phantom action records with an invalid length.
|
||||||
|
// See 401799_pre_Scene_1.swf
|
||||||
|
// TODO: How does Flash handle this?
|
||||||
|
return Err(Error::invalid_data("Button action length is too short"));
|
||||||
}
|
}
|
||||||
Ok((
|
Ok((
|
||||||
ButtonAction {
|
ButtonAction {
|
||||||
|
|
Loading…
Reference in New Issue