45794 – Type error in swfmoz_player_loaders_update

Bug 45794 - Type error in swfmoz_player_loaders_update

Summary: Type error in swfmoz_player_loaders_update

Status:	NEW

Alias:	None

Product:	swfdec
Classification:	Unclassified
Component:	plugin (show other bugs)
Version:	unspecified
Hardware:	SPARC NetBSD

Importance:	medium normal
Assignee:	swfdec ml
QA Contact:	swfdec ml

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2012-02-08 09:31 UTC by Martin Husemann
Modified:	2012-02-13 03:40 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments
patch we use in pkgsrc to fix the first instance (816 bytes, patch) 2012-02-13 03:40 UTC, Martin Husemann	Details \| Splinter Review
pkgsrc patch for second instance (534 bytes, application/octet-stream) 2012-02-13 03:40 UTC, Martin Husemann	Details
View All

Description Martin Husemann 2012-02-08 09:31:20 UTC

The variable "error" is declared as gboolean, but then assigned via a call to g_object_get() on the "error" property. However, that property is a string (the error message) or NULL if no error. Since g_object_get() is a variadic function, the compiler will not catch this.

On alignement critical architectures the pointer assignement to &error may cause a crash. On others, still some part of the stack may be overwritten.

Fix is simple: declare 

  gpointer error = NULL;

and change the test from

  if (error == TRUE)

to

  if (error != NULL)

Comment 1 Martin Husemann 2012-02-13 02:55:54 UTC

The same bug can be found in swfmoz_dialog.c:swfmoz_dialog_save_media

Comment 2 Martin Husemann 2012-02-13 03:40:13 UTC

Created attachment 56957 [details] [review]
patch we use in pkgsrc to fix the first instance

Comment 3 Martin Husemann 2012-02-13 03:40:54 UTC

Created attachment 56958 [details]
pkgsrc patch for second instance

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.