On Wed, Feb 09, 2011 at 11:27:27AM +0100, strk wrote:
> On Tue, Feb 08, 2011 at 06:56:32PM -0700, Rob Savoye wrote:
> >
> > Just cause I'm the one that makes the release, doesn't
> > mean I'm the one that has to fix all the bugs.
>
> Agreed.
> It would be enough to review the ones assigned to you and the ones
> marked with severities from Important up.
Rob, I did go trough bug #31766, which is the one making it impossible
to use Gnash with chromium and handled to obtain a new backtrace
(attached to the bug).
Now, the backtrace points at ExternalInterface and I think I spotted
a possibly unsafe operation performed by it:
ExternalInterface::parseInvoke(const std::string &xml);
ExternalInterface::ExternalEventCheck
..
boost::scoped_array<char> buffer(new char[bytes+1]);
return parseInvoke(buffer.get());
The code above writes a zero one byte after the allocated amount.
Follows a short testcase (build and run with valgrind):
----8<--------------
#include <iostream>
int main()
{
size_t bytes = 2;
char *buffer = new char[bytes+1];
buffer[bytes+1] = 0;
}
----8<--------------
I belive that ExternalInterface.cpp is code you wrote, in which case I think
you should fix that, to avoid confusion about who broke what.
--strk;
() Free GIS & Flash consultant/developer
/\ http://strk.keybit.net/services.html
_______________________________________________
Gnash-dev mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/gnash-dev
