[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnash-commit] /srv/bzr/gnash/rtmp r9988: trap some strings when the len
|
From: |
rob |
|
Subject: |
[Gnash-commit] /srv/bzr/gnash/rtmp r9988: trap some strings when the length has been corrupted. |
|
Date: |
Mon, 16 Feb 2009 16:12:42 -0700 |
|
User-agent: |
Bazaar (1.5) |
------------------------------------------------------------
revno: 9988
committer: address@hidden
branch nick: rtmp
timestamp: Mon 2009-02-16 16:12:42 -0700
message:
trap some strings when the length has been corrupted.
modified:
libnet/http.cpp
=== modified file 'libnet/http.cpp'
--- a/libnet/http.cpp 2009-02-14 22:42:54 +0000
+++ b/libnet/http.cpp 2009-02-16 23:12:42 +0000
@@ -1115,6 +1115,16 @@
// Get the first name, which is a raw string, and not preceded by
// a type byte.
boost::shared_ptr<amf::Element > el1(new amf::Element);
+
+ // If the length of the name field is corrupted, then we get out of
+ // range quick, and corrupt memory. This is a bit of a hack, but
+ // reduces memory errors caused by some of the corrupted tes cases.
+ boost::uint8_t *endstr = std::find(tmpptr, tmpptr+length, '\0');
+ if (endstr != tmpptr+length) {
+ log_debug("Caught corrupted string! length was %d, null at %d",
+ length, endstr-tmpptr);
+ length = endstr-tmpptr;
+ }
el1->setName(tmpptr, length);
tmpptr += length;
headers.push_back(el1);
@@ -1124,6 +1134,18 @@
length = ntohs((*(boost::uint16_t *)tmpptr) & 0xffff);
tmpptr += sizeof(boost::uint16_t);
boost::shared_ptr<amf::Element > el2(new amf::Element);
+
+// std::string name2(reinterpret_cast<const char *>(tmpptr), length);
+// el2->setName(name2.c_str(), name2.size());
+ // If the length of the name field is corrupted, then we get out of
+ // range quick, and corrupt memory. This is a bit of a hack, but
+ // reduces memory errors caused by some of the corrupted tes cases.
+ endstr = std::find(tmpptr, tmpptr+length, '\0');
+ if (endstr != tmpptr+length) {
+ log_debug("Caught corrupted string! length was %d, null at %d",
+ length, endstr-tmpptr);
+ length = endstr-tmpptr;
+ }
el2->setName(tmpptr, length);
headers.push_back(el2);
tmpptr += length;
@@ -1148,7 +1170,35 @@
HTTP::formatEchoResponse(const std::string &num, amf::Element &el)
{
// GNASH_REPORT_FUNCTION;
- boost::shared_ptr<amf::Buffer> data = el.encode(); //
amf::AMF::encodeElement(el);
+ boost::shared_ptr<amf::Buffer> data;
+ amf::Element nel = el;
+
+#if 0
+ if (el.getType() == amf::Element::STRICT_ARRAY_AMF0) {
+ if (el.propertySize()) {
+ for (int i=0 ; i<el.propertySize(); i++) {
+ boost::shared_ptr<amf::Element> child = el.getProperty(i);
+ boost::shared_ptr<amf::Element> newprop(new amf::Element);
+ *newprop = child;
+ if (child->getType() == amf::Element::OBJECT_AMF0) {
+ for (int j=child->propertySize()-1; j>=0; j--) {
+// for (int j=0; j<child->propertySize(); j++) {
+ newprop->addProperty(child->getProperty(j));
+ }
+ }
+ nel.addProperty(newprop);
+ }
+ data = nel.encode();
+ } else {
+ data = el.encode();
+ }
+ } else {
+ data = el.encode();
+ }
+#else
+ data = el.encode();
+#endif
+
return formatEchoResponse(num, data->reference(), data->allocated());
}
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Gnash-commit] /srv/bzr/gnash/rtmp r9988: trap some strings when the length has been corrupted.,
rob <=