From 9c53bf8e165c3a74e20f4c93b4ab6c05fe67f187 Mon Sep 17 00:00:00 2001 From: Hugo Lefeuvre <hle@debian.org> Date: Mon, 19 Feb 2018 18:06:31 +0100 Subject: [PATCH 29/29] Use OpCode instead of directly accessing actions Instead of directly accessing the actions array without checks for the value of n (which may lead to heap buffer overflow etc, see #83 or #105), use the dedicated OpCode function. --- util/decompile.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/util/decompile.c b/util/decompile.c index 1126ef0f..2cb3fbd4 100644 --- a/util/decompile.c +++ b/util/decompile.c @@ -1196,7 +1196,7 @@ decompileArithmeticOp(int n, SWF_ACTION *actions, int maxn) } default: printf("Unhandled Arithmetic/Logic OP %x\n", - actions[n].SWF_ACTIONRECORD.ActionCode); + OpCode(actions, n, maxn)); } return 0; } @@ -1232,7 +1232,7 @@ isLogicalOp(int n, SWF_ACTION *actions, int maxn) static int isLogicalOp2(int n, SWF_ACTION *actions,int maxn) { - switch(actions[n].SWF_ACTIONRECORD.ActionCode) + switch(OpCode(actions, n, maxn)) { case SWFACTION_LOGICALNOT: case SWFACTION_PUSHDUP: @@ -2098,7 +2098,7 @@ decompile_SWITCH(int n, SWF_ACTION *actions, int maxn, int off1end) #ifdef DEBUGSWITCH println("in ccsize: ccsize=%d off=%d %s", ccsize,actions[ccsize+start].SWF_ACTIONRECORD.Offset, - actionName(actions[ccsize+start].SWF_ACTIONRECORD.ActionCode)); + actionName(OpCode(actions, ccsize+start, maxn))); #endif if (OpCode(actions, ccsize+start, maxn) == SWFACTION_JUMP) { @@ -2125,7 +2125,7 @@ decompile_SWITCH(int n, SWF_ACTION *actions, int maxn, int off1end) } pend=start; #endif - if (actions[i].SWF_ACTIONRECORD.ActionCode==SWFACTION_JUMP) + if (OpCode(actions, i, maxn) == SWFACTION_JUMP) { if (ccsize<=1) break; // ready @@ -2164,23 +2164,23 @@ decompile_SWITCH(int n, SWF_ACTION *actions, int maxn, int off1end) tmp=switchToOrigString(origbuf); #endif - if (actions[i].SWF_ACTIONRECORD.ActionCode==SWFACTION_JUMP) // after "default:" + if (OpCode(actions, i, maxn) == SWFACTION_JUMP) // after "default:" { break; // ready } else { - if (actions[i+1].SWF_ACTIONRECORD.ActionCode!=SWFACTION_JUMP) // not before "default:" or end + if (OpCode(actions, i+1, maxn) != SWFACTION_JUMP) // not before "default:" or end { i++; // the 'if' itself cvsize=0; while (i+cvsize < n_firstactions - && actions[i+cvsize].SWF_ACTIONRECORD.ActionCode!=SWFACTION_STRICTEQUALS) + && OpCode(actions, i+cvsize, maxn) != SWFACTION_STRICTEQUALS) { #ifdef DEBUGSWITCH println("in cvsize=%d %d %s", cvsize, actions[i+cvsize].SWF_ACTIONRECORD.Offset, - actionName(actions[i+cvsize].SWF_ACTIONRECORD.ActionCode)); + actionName(OpCode(actions, i+cvsize, maxn))); #endif cvsize++; // count "case X:" code size } @@ -2357,7 +2357,7 @@ decompileIF(int n, SWF_ACTION *actions, int maxn) /* if on a level >0 we can check for any outer loop To do: get the level on a better way than using gIndent */ if (gIndent - && actions[maxn-1].SWF_ACTIONRECORD.ActionCode==SWFACTION_JUMP + && OpCode(actions, maxn-1, maxn) == SWFACTION_JUMP && actions[maxn-1].SWF_ACTIONJUMP.Offset+actions[maxn].SWF_ACTIONJUMP.BranchOffset== sact->Actions[sact->numActions-1].SWF_ACTIONJUMP.Offset+sact->Actions[sact->numActions-1].SWF_ACTIONJUMP.BranchOffset) { @@ -2404,7 +2404,7 @@ decompileIF(int n, SWF_ACTION *actions, int maxn) else_action_cnt++) { #if SOME_IF_DEBUG - println("/* ELSE OP 0x%x at %d*/",actions[n+1+else_action_cnt].SWF_ACTIONRECORD.ActionCode, + println("/* ELSE OP 0x%x at %d*/", OpCode(actions, n+1+else_action_cnt, maxn), actions[n+1+else_action_cnt].SWF_ACTIONRECORD.Offset) #endif ; @@ -2427,7 +2427,7 @@ decompileIF(int n, SWF_ACTION *actions, int maxn) } for (j=0;j<else_action_cnt;j++) { - if (actions[n+j].SWF_ACTIONRECORD.ActionCode==SWFACTION_JUMP) // perhaps more ops + if (OpCode(actions, n+j, maxn) == SWFACTION_JUMP) // perhaps more ops { sbe=i=has_else_or_break=0; break; @@ -2533,7 +2533,7 @@ decompileIF(int n, SWF_ACTION *actions, int maxn) int limit=actions[n+1].SWF_ACTIONRECORD.Offset + sact->Actions[sact->numActions-1].SWF_ACTIONJUMP.BranchOffset; // limit == dest of jmp == offset next op after 'if' + jumpdist at end of 'if' int lastopsize=actions[maxn-1].SWF_ACTIONRECORD.Length; - if (actions[maxn-1].SWF_ACTIONRECORD.ActionCode == SWFACTION_IF) + if (OpCode(actions, maxn-1, maxn) == SWFACTION_IF) lastopsize+=actions[maxn-1].SWF_ACTIONIF.BranchOffset + 3; /* +3 see parser.c: "Action + Length bytes not included in the length" */ if (offseoloop @@ -2880,8 +2880,7 @@ decompileCALLFUNCTION(int n, SWF_ACTION *actions, int maxn) { struct SWF_ACTIONPUSHPARAM *meth, *nparam; - SanityCheck(SWF_CALLMETHOD, - n > 0 && actions[n-1].SWF_ACTIONRECORD.ActionCode == SWFACTION_PUSH, + SanityCheck(SWF_CALLMETHOD, OpCode(actions, n-1, maxn) == SWFACTION_PUSH, "CALLMETHOD not preceeded by PUSH") meth=pop(); -- 2.14.3