Bug 45794

Summary: Type error in swfmoz_player_loaders_update
Product: swfdec Reporter: Martin Husemann <martin>
Component: pluginAssignee: swfdec ml <swfdec>
Status: NEW --- QA Contact: swfdec ml <swfdec>
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: SPARC   
OS: NetBSD   
Whiteboard:
i915 platform: i915 features:
Attachments: patch we use in pkgsrc to fix the first instance
pkgsrc patch for second instance

Description Martin Husemann 2012-02-08 09:31:20 UTC 
The variable "error" is declared as gboolean, but then assigned via a call to g_object_get() on the "error" property. However, that property is a string (the error message) or NULL if no error. Since g_object_get() is a variadic function, the compiler will not catch this.

On alignement critical architectures the pointer assignement to &error may cause a crash. On others, still some part of the stack may be overwritten.

Fix is simple: declare 

  gpointer error = NULL;

and change the test from

  if (error == TRUE)

to

  if (error != NULL)
Comment 1 Martin Husemann 2012-02-13 02:55:54 UTC 
The same bug can be found in swfmoz_dialog.c:swfmoz_dialog_save_media
Comment 2 Martin Husemann 2012-02-13 03:40:13 UTC 
Created attachment 56957 [details] [review]
patch we use in pkgsrc to fix the first instance
Comment 3 Martin Husemann 2012-02-13 03:40:54 UTC 
Created attachment 56958 [details]
pkgsrc patch for second instance

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.