Mercurial > mplayer.hg
changeset 33098:b61dff4c9a35
Prevent an out-of-bounds array access.
Before adding a new item, check whether the corresponding Items array
has space left to actually store it.
| author | ib |
|---|---|
| date | Fri, 01 Apr 2011 21:23:50 +0000 |
| parents | 533c658a18da |
| children | 0b17f6bed6fc |
| files | gui/skin/skin.c help/help_mp-de.h help/help_mp-en.h |
| diffstat | 3 files changed, 64 insertions(+), 26 deletions(-) [+] |
line wrap: on
line diff
--- a/gui/skin/skin.c Fri Apr 01 20:42:06 2011 +0000 +++ b/gui/skin/skin.c Fri Apr 01 21:23:50 2011 +0000 @@ -115,6 +115,19 @@ return i; } +static wItem *next_item(void) +{ + wItem *item = NULL; + + if (*currWinItemIdx < MAX_ITEMS - 1) { + (*currWinItemIdx)++; + item = &currWinItems[*currWinItemIdx]; + } else + skin_error(MSGTR_SKIN_TooManyItemsDeclared); + + return item; +} + // section=movieplayer static int cmd_section(char *in) { @@ -360,6 +373,7 @@ unsigned char file[512]; int x, y, w, h, message; char msg[32]; + wItem *item; if (!window_cmd("button")) return 1; @@ -383,35 +397,39 @@ return 1; } - (*currWinItemIdx)++; - currWinItems[*currWinItemIdx].type = itButton; - currWinItems[*currWinItemIdx].x = x; - currWinItems[*currWinItemIdx].y = y; - currWinItems[*currWinItemIdx].width = w; - currWinItems[*currWinItemIdx].height = h; - currWinItems[*currWinItemIdx].message = message; + item = next_item(); + + if (!item) + return 1; + + item->type = itButton; + item->x = x; + item->y = y; + item->width = w; + item->height = h; + item->message = message; mp_dbg(MSGT_GPLAYER, MSGL_DBG2, "[skin] button image: %s %d,%d\n", fname, x, y); mp_dbg(MSGT_GPLAYER, MSGL_DBG2, "[skin] message: %s (#%d)\n", msg, message); mp_dbg(MSGT_GPLAYER, MSGL_DBG2, "[skin] size: %dx%d\n", w, h); - currWinItems[*currWinItemIdx].pressed = btnReleased; + item->pressed = btnReleased; - if (currWinItems[*currWinItemIdx].message == evPauseSwitchToPlay) - currWinItems[*currWinItemIdx].pressed = btnDisabled; + if (item->message == evPauseSwitchToPlay) + item->pressed = btnDisabled; - currWinItems[*currWinItemIdx].tmp = 1; + item->tmp = 1; - currWinItems[*currWinItemIdx].Bitmap.Image = NULL; + item->Bitmap.Image = NULL; if (strcmp(fname, "NULL") != 0) { av_strlcpy(file, path, sizeof(file)); av_strlcat(file, fname, sizeof(file)); - if (skinBPRead(file, &currWinItems[*currWinItemIdx].Bitmap) != 0) + if (skinBPRead(file, &item->Bitmap) != 0) return 1; - mp_dbg(MSGT_GPLAYER, MSGL_DBG2, "[skin] (bitmap: %lux%lu)\n", currWinItems[*currWinItemIdx].Bitmap.Width, currWinItems[*currWinItemIdx].Bitmap.Height); + mp_dbg(MSGT_GPLAYER, MSGL_DBG2, "[skin] (bitmap: %lux%lu)\n", item->Bitmap.Width, item->Bitmap.Height); } return 0; @@ -482,8 +500,11 @@ return 1; } - (*currWinItemIdx)++; - item = &currWinItems[*currWinItemIdx]; + item = next_item(); + + if (!item) + return 1; + item->x = x; item->y = y; item->width = w; @@ -539,8 +560,11 @@ mp_dbg(MSGT_GPLAYER, MSGL_DBG2, "[skin] numphases: %d, default: %d%%\n", ph, d); mp_dbg(MSGT_GPLAYER, MSGL_DBG2, "[skin] message: %s (#%d)\n", buf, message); - (*currWinItemIdx)++; - item = &currWinItems[*currWinItemIdx]; + item = next_item(); + + if (!item) + return 1; + item->type = itHPotmeter; item->x = x; item->y = y; @@ -631,8 +655,11 @@ mp_dbg(MSGT_GPLAYER, MSGL_DBG2, "[skin] numphases: %d, default: %d%%\n", ph, d); mp_dbg(MSGT_GPLAYER, MSGL_DBG2, "[skin] message: %s (#%d)\n", buf, message); - (*currWinItemIdx)++; - item = &currWinItems[*currWinItemIdx]; + item = next_item(); + + if (!item) + return 1; + item->type = itPotmeter; item->x = x; item->y = y; @@ -672,8 +699,11 @@ cutItem(in, fnt, ',', 0); // Note: This seems needless but isn't for compatibility // reasons with a meanwhile depreciated second parameter. - (*currWinItemIdx)++; - item = &currWinItems[*currWinItemIdx]; + item = next_item(); + + if (!item) + return 1; + item->type = itFont; item->fontid = fntRead(path, fnt); @@ -734,8 +764,11 @@ mp_dbg(MSGT_GPLAYER, MSGL_DBG2, "[skin] font: %s (#%d)\n", fnt, id); - (*currWinItemIdx)++; - item = &currWinItems[*currWinItemIdx]; + item = next_item(); + + if (!item) + return 1; + item->type = itSLabel; item->fontid = id; item->x = x; @@ -789,8 +822,11 @@ mp_dbg(MSGT_GPLAYER, MSGL_DBG2, "[skin] font: %s (#%d)\n", fnt, id); - (*currWinItemIdx)++; - item = &currWinItems[*currWinItemIdx]; + item = next_item(); + + if (!item) + return 1; + item->type = itDLabel; item->fontid = id; item->align = a;
--- a/help/help_mp-de.h Fri Apr 01 20:42:06 2011 +0000 +++ b/help/help_mp-de.h Fri Apr 01 21:23:50 2011 +0000 @@ -785,6 +785,7 @@ #define MSGTR_SKIN_BITMAP_ConversionError "24-bpp-zu-32-bpp-Konvertierungsfehler in %s\n" #define MSGTR_SKIN_UnknownMessage "Unbekannte Nachricht '%s'\n" #define MSGTR_SKIN_NotEnoughMemory "Nicht genug Speicher\n" +#define MSGTR_SKIN_TooManyItemsDeclared "Zu viele Elemente deklariert.\n" #define MSGTR_SKIN_FONT_TooManyFontsDeclared "Zu viele Schriften deklariert.\n" #define MSGTR_SKIN_FONT_FontFileNotFound "Schrift-Beschreibungsdatei nicht gefunden.\n" #define MSGTR_SKIN_FONT_FontImageNotFound "Schrift-Bilddatei nicht gefunden.\n"
--- a/help/help_mp-en.h Fri Apr 01 20:42:06 2011 +0000 +++ b/help/help_mp-en.h Fri Apr 01 21:23:50 2011 +0000 @@ -588,6 +588,7 @@ #define MSGTR_SKIN_BITMAP_ConversionError "24 bit to 32 bit conversion error in %s\n" #define MSGTR_SKIN_UnknownMessage "Unknown message '%s'\n" #define MSGTR_SKIN_NotEnoughMemory "Not enough memory\n" +#define MSGTR_SKIN_TooManyItemsDeclared "Too many items declared.\n" #define MSGTR_SKIN_FONT_TooManyFontsDeclared "Too many fonts declared.\n" #define MSGTR_SKIN_FONT_FontFileNotFound "Font description file not found.\n" #define MSGTR_SKIN_FONT_FontImageNotFound "Font image file not found.\n"