#26 segfault when doActionReturn can't find StackPointerObject
Steps to reproduce:
1) wget http://iki.fi/lindi/google-video.swf
2) player/flashplayer google-video.swf
Expected results:
2) flashplayer should play the file or print an error
Actual results:
2) flashplayer segfaults:
Program received signal SIGSEGV, Segmentation fault.
0x08060e33 in SwfEngine::executeCode (this=0x84e9158,
code=0x8507498 "\210è", size=0) at swf_engine.cc:1441
1441 while (*p != 0) {
(gdb) bt
#0 0x08060e33 in SwfEngine::executeCode
(this=0x84e9158, code=0x8507498 "\210è", size=0) at
swf_engine.cc:1441
#1 0x08062061 in SwfEngine::doInitActiontag
(this=0x84e9158, tag=0x8506930) at swf_engine.cc:1258
#2 0x08065f02 in SwfEngine::tagDispatch
(this=0x84e9158, tag=0x8506930) at swf_engine.cc:728
#3 0x080687e9 in SwfEngine::next (this=0x84e9158) at
swf_engine.cc:146
#4 0x08056679 in render (decoder=0x84e1658,
normalSpeed=false) at flashplayer.cc:142
#5 0x08056aef in main (argc=2, argv=0x19) at
flashplayer.cc:263
(gdb) print p
$1 = (UI8 *) 0x19 <Address 0x19 out of bounds>
That mysterious 0x19 seems to come from
Script::doActionReturn which has the following fragment:
1286 while (execStack.size() > 0 &&
top()->getObjectType() != StackPointerObjectType) {
1287 dumpStack();
1288 wcout << L"\n *********** Stack
ERROR: pop one element:"<<*top()<<L"\n";
1289 pop();
1290 }
1291 StackPointerObject *sp =
(StackPointerObject*)pop();
1292 *p = sp->getValue();
Now it seems that execStack() == 0 and thus pop() will
actually return "new ValueObject()". Next flasplayer
goes and casts this ValueObject to a StackPointerObject.
Invalid casts can cause very nasty bugs, how about
using some macro that will check that objectType is
correct after all casts?
Also, what should doActionReturn do if stack does not
contain anything of type StackPointerObjectType?