24080 2009-02-22 11:40:32 -0800 NPN_GetValue casting to the wrong type and writing outside bounds 2009-03-01 16:43:08 -0800 1 1 1 Unclassified WebKit Plug-ins 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 lewing webkit-unassigned andersca ap oldest_to_newest 110510 0 lewing 2009-02-22 11:40:32 -0800 PluginView is casting NPBool types to uint32 and as a result writing outside the memory it owns potentially trashing the stack. 110511 1 27868 lewing 2009-02-22 11:41:38 -0800 Created attachment 27868 fix for the problem 110580 2 27881 lewing 2009-02-23 07:58:18 -0800 Created attachment 27881 Patch with ChangeLog 110629 3 27881 ap 2009-02-23 13:40:53 -0800 Comment on attachment 27881 Patch with ChangeLog Looks like this was meant for review, marking as such. 111493 4 ap 2009-02-27 11:11:29 -0800 Per IRC discussion, this is a problem on other platforms, too. 111503 5 ap 2009-02-27 11:35:23 -0800 <http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/plugins/plugin_host.cc> seems to have the same issue, even though this code doesn't look like it was derived from WebKit. 111518 6 27881 andersca 2009-02-27 12:10:59 -0800 Comment on attachment 27881 Patch with ChangeLog r=me 111520 7 27881 ap 2009-02-27 12:13:15 -0800 Comment on attachment 27881 Patch with ChangeLog Clearing review flag, because Larry is working on a patch which will fix this for all platforms. 111524 8 28099 lewing 2009-02-27 12:21:27 -0800 Created attachment 28099 Patch for all platforms Fix the NPBool values for all platforms and use c++ style casts 111689 9 28099 ap 2009-03-01 05:47:55 -0800 Comment on attachment 28099 Patch for all platforms r=me There are tabs in ChangeLog, they will need to be replaced with spaces when landing. 111767 10 levin 2009-03-01 16:43:08 -0800 Committed as r41346. 27868 2009-02-22 11:41:38 -0800 2009-02-23 07:58:18 -0800 fix for the problem getvalue.patch text/plain 708 lewing ZGlmZiAtLWdpdCBhL1dlYkNvcmUvcGx1Z2lucy9ndGsvUGx1Z2luVmlld0d0ay5jcHAgYi9XZWJD b3JlL3BsdWdpbnMvZ3RrL1BsdWdpblZpZXdHdGsuY3BwCmluZGV4IDJiOTNlNTYuLmY5ZmQxYjIg MTAwNjQ0Ci0tLSBhL1dlYkNvcmUvcGx1Z2lucy9ndGsvUGx1Z2luVmlld0d0ay5jcHAKKysrIGIv V2ViQ29yZS9wbHVnaW5zL2d0ay9QbHVnaW5WaWV3R3RrLmNwcApAQCAtMzU3LDE0ICszNTcsMTQg QEAgTlBFcnJvciBQbHVnaW5WaWV3OjpnZXRWYWx1ZVN0YXRpYyhOUE5WYXJpYWJsZSB2YXJpYWJs ZSwgdm9pZCogdmFsdWUpCiAKICAgICBjYXNlIE5QTlZTdXBwb3J0c1hFbWJlZEJvb2w6CiAjaWYg UExBVEZPUk0oWDExKQotICAgICAgICAqKCh1aW50MzIgKil2YWx1ZSkgPSB0cnVlOworICAgICAg ICAqKChOUEJvb2wgKil2YWx1ZSkgPSB0cnVlOwogI2Vsc2UKLSAgICAgICAgKigodWludDMyICop dmFsdWUpID0gZmFsc2U7CisgICAgICAgICooKE5QQm9vbCAqKXZhbHVlKSA9IGZhbHNlOwogI2Vu ZGlmCiAgICAgICAgIHJldHVybiBOUEVSUl9OT19FUlJPUjsKIAogICAgIGNhc2UgTlBOVmphdmFz Y3JpcHRFbmFibGVkQm9vbDoKLSAgICAgICAgKigodWludDMyICopdmFsdWUpID0gdHJ1ZTsKKyAg ICAgICAgKigoTlBCb29sICopdmFsdWUpID0gdHJ1ZTsKICAgICAgICAgcmV0dXJuIE5QRVJSX05P X0VSUk9SOwogCiAgICAgZGVmYXVsdDoK 27881 2009-02-23 07:58:18 -0800 2009-02-27 12:21:27 -0800 Patch with ChangeLog getvalue.patch text/plain 1309 lewing ZGlmZiAtLWdpdCBhL1dlYkNvcmUvQ2hhbmdlTG9nIGIvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXgg ZmIyZWZhYi4uMGJkY2YzMSAxMDA2NDQKLS0tIGEvV2ViQ29yZS9DaGFuZ2VMb2cKKysrIGIvV2Vi Q29yZS9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxNSBAQAorMjAwOS0wMi0yMyAgTGFycnkgRXdpbmcg IDxsZXdpbmdAbm92ZWxsLmNvbT4KKworCVJldmlld2QgYnkgTk9CT0RZIChPT1BTISkKKworCWh0 dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yNDA4MAorCU5QTl9HZXRWYWx1 ZSBjYXN0aW5nIHRvIHRoZSB3cm9uZyB0eXBlIGFuZCB3cml0aW5nIG91dHNpZGUgYm91bmRzCisK KwlNYWtlIHN1cmUgdG8gY2FzdCB0aGUgdmFsdWUgdG8gdGhlIGNvcnJlY3QgdHlwZSBzbyB0aGF0 IG9ubHkKKwltZW1vcnkgb3duZWQgYnkgdGhlIHZhbHVlIGlzIHdyaXR0ZW4gdG8uCisKKwkqIHBs dWdpbnMvZ3RrL1BsdWdpblZpZXdHdGsuY3BwIChQbHVnaW5WaWV3OjpnZXRWYWx1ZVN0YXRpYyk6 IAorCiAyMDA5LTAyLTIzICBYYW4gTG9wZXogIDx4YW5AZ25vbWUub3JnPgogCiAgICAgICAgIFJl dmlld2VkIGJ5IEFsZXhleSBQcm9za3VyeWFrb3YuCmRpZmYgLS1naXQgYS9XZWJDb3JlL3BsdWdp bnMvZ3RrL1BsdWdpblZpZXdHdGsuY3BwIGIvV2ViQ29yZS9wbHVnaW5zL2d0ay9QbHVnaW5WaWV3 R3RrLmNwcAppbmRleCAyYjkzZTU2Li5mOWZkMWIyIDEwMDY0NAotLS0gYS9XZWJDb3JlL3BsdWdp bnMvZ3RrL1BsdWdpblZpZXdHdGsuY3BwCisrKyBiL1dlYkNvcmUvcGx1Z2lucy9ndGsvUGx1Z2lu Vmlld0d0ay5jcHAKQEAgLTM1NywxNCArMzU3LDE0IEBAIE5QRXJyb3IgUGx1Z2luVmlldzo6Z2V0 VmFsdWVTdGF0aWMoTlBOVmFyaWFibGUgdmFyaWFibGUsIHZvaWQqIHZhbHVlKQogCiAgICAgY2Fz ZSBOUE5WU3VwcG9ydHNYRW1iZWRCb29sOgogI2lmIFBMQVRGT1JNKFgxMSkKLSAgICAgICAgKigo dWludDMyICopdmFsdWUpID0gdHJ1ZTsKKyAgICAgICAgKigoTlBCb29sICopdmFsdWUpID0gdHJ1 ZTsKICNlbHNlCi0gICAgICAgICooKHVpbnQzMiAqKXZhbHVlKSA9IGZhbHNlOworICAgICAgICAq KChOUEJvb2wgKil2YWx1ZSkgPSBmYWxzZTsKICNlbmRpZgogICAgICAgICByZXR1cm4gTlBFUlJf Tk9fRVJST1I7CiAKICAgICBjYXNlIE5QTlZqYXZhc2NyaXB0RW5hYmxlZEJvb2w6Ci0gICAgICAg ICooKHVpbnQzMiAqKXZhbHVlKSA9IHRydWU7CisgICAgICAgICooKE5QQm9vbCAqKXZhbHVlKSA9 IHRydWU7CiAgICAgICAgIHJldHVybiBOUEVSUl9OT19FUlJPUjsKIAogICAgIGRlZmF1bHQ6Cg== 28099 2009-02-27 12:21:27 -0800 2009-03-01 05:47:55 -0800 Patch for all platforms getvalue.patch text/plain 3424 lewing ZGlmZiAtLWdpdCBhL1dlYkNvcmUvQ2hhbmdlTG9nIGIvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXgg OTk2ZDQ2ZC4uMDMxZjk5YSAxMDA2NDQKLS0tIGEvV2ViQ29yZS9DaGFuZ2VMb2cKKysrIGIvV2Vi Q29yZS9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxOCBAQAorMjAwOS0wMi0yMyAgTGFycnkgRXdpbmcg IDxsZXdpbmdAbm92ZWxsLmNvbT4KKworCVJldmlld2QgYnkgTk9CT0RZIChPT1BTISkKKworCWh0 dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yNDA4MAorCU5QTl9HZXRWYWx1 ZSBjYXN0aW5nIHRvIHRoZSB3cm9uZyB0eXBlIGFuZCB3cml0aW5nIG91dHNpZGUgYm91bmRzCisK KwlNYWtlIHN1cmUgdG8gY2FzdCB0aGUgdmFsdWUgdG8gdGhlIGNvcnJlY3QgdHlwZSBzbyB0aGF0 IG9ubHkKKwltZW1vcnkgb3duZWQgYnkgdGhlIHZhbHVlIGlzIHdyaXR0ZW4gdG8uCisKKwkqIHBs dWdpbnMvZ3RrL1BsdWdpblZpZXdHdGsuY3BwIChQbHVnaW5WaWV3OjpnZXRWYWx1ZVN0YXRpYyk6 IAorCSogcGx1Z2lucy9xdC9QbHVnaW5WaWV3UXQuY3BwIChQbHVnaW5WaWV3OjpnZXRWYWx1ZVN0 YXRpYyk6CisJKiBwbHVnaW5zL21hYy9QbHVnaW5WaWV3TWFjLmNwcCAoUGx1Z2luVmlldzo6Z2V0 VmFsdWVTdGF0aWMpOiAKKwkoUGx1Z2luVmlldzo6Z2V0VmFsdWUpOgorCiAyMDA5LTAyLTI3ICBK aWFuIExpICA8amlhbmxpQGNocm9taXVtLm9yZz4KIAogICAgICAgICBSZXZpZXdlZCBieSBBbGV4 ZXkgUHJvc2t1cnlha292LgpkaWZmIC0tZ2l0IGEvV2ViQ29yZS9wbHVnaW5zL2d0ay9QbHVnaW5W aWV3R3RrLmNwcCBiL1dlYkNvcmUvcGx1Z2lucy9ndGsvUGx1Z2luVmlld0d0ay5jcHAKaW5kZXgg MmI5M2U1Ni4uNWVjNTE1YiAxMDA2NDQKLS0tIGEvV2ViQ29yZS9wbHVnaW5zL2d0ay9QbHVnaW5W aWV3R3RrLmNwcAorKysgYi9XZWJDb3JlL3BsdWdpbnMvZ3RrL1BsdWdpblZpZXdHdGsuY3BwCkBA IC0zNDksMjIgKzM0OSwyMiBAQCBOUEVycm9yIFBsdWdpblZpZXc6OmdldFZhbHVlU3RhdGljKE5Q TlZhcmlhYmxlIHZhcmlhYmxlLCB2b2lkKiB2YWx1ZSkKICAgICBzd2l0Y2ggKHZhcmlhYmxlKSB7 CiAgICAgY2FzZSBOUE5WVG9vbGtpdDoKICNpZiBQTEFURk9STShHVEspCi0gICAgICAgICooKHVp bnQzMiAqKXZhbHVlKSA9IDI7CisgICAgICAgICpzdGF0aWNfY2FzdDx1aW50MzIqPih2YWx1ZSkg PSAyOwogI2Vsc2UKLSAgICAgICAgKigodWludDMyICopdmFsdWUpID0gMDsKKyAgICAgICAgKnN0 YXRpY19jYXN0PHVpbnQzMio+KHZhbHVlKSA9IDA7CiAjZW5kaWYKICAgICAgICAgcmV0dXJuIE5Q RVJSX05PX0VSUk9SOwogCiAgICAgY2FzZSBOUE5WU3VwcG9ydHNYRW1iZWRCb29sOgogI2lmIFBM QVRGT1JNKFgxMSkKLSAgICAgICAgKigodWludDMyICopdmFsdWUpID0gdHJ1ZTsKKyAgICAgICAg KnN0YXRpY19jYXN0PE5QQm9vbCo+KHZhbHVlKSA9IHRydWU7CiAjZWxzZQotICAgICAgICAqKCh1 aW50MzIgKil2YWx1ZSkgPSBmYWxzZTsKKyAgICAgICAgKnN0YXRpY19jYXN0PE5QQm9vbCo+KHZh bHVlKSA9IGZhbHNlOwogI2VuZGlmCiAgICAgICAgIHJldHVybiBOUEVSUl9OT19FUlJPUjsKIAog ICAgIGNhc2UgTlBOVmphdmFzY3JpcHRFbmFibGVkQm9vbDoKLSAgICAgICAgKigodWludDMyICop dmFsdWUpID0gdHJ1ZTsKKyAgICAgICAgKnN0YXRpY19jYXN0PE5QQm9vbCo+KHZhbHVlKSA9IHRy dWU7CiAgICAgICAgIHJldHVybiBOUEVSUl9OT19FUlJPUjsKIAogICAgIGRlZmF1bHQ6CmRpZmYg LS1naXQgYS9XZWJDb3JlL3BsdWdpbnMvbWFjL1BsdWdpblZpZXdNYWMuY3BwIGIvV2ViQ29yZS9w bHVnaW5zL21hYy9QbHVnaW5WaWV3TWFjLmNwcAppbmRleCBjOTVlODU0Li5hZDEwODQ0IDEwMDY0 NAotLS0gYS9XZWJDb3JlL3BsdWdpbnMvbWFjL1BsdWdpblZpZXdNYWMuY3BwCisrKyBiL1dlYkNv cmUvcGx1Z2lucy9tYWMvUGx1Z2luVmlld01hYy5jcHAKQEAgLTIyMiwxMSArMjIyLDExIEBAIE5Q RXJyb3IgUGx1Z2luVmlldzo6Z2V0VmFsdWVTdGF0aWMoTlBOVmFyaWFibGUgdmFyaWFibGUsIHZv aWQqIHZhbHVlKQogCiAgICAgc3dpdGNoICh2YXJpYWJsZSkgewogICAgIGNhc2UgTlBOVlRvb2xr aXQ6Ci0gICAgICAgICooKHVpbnQzMiAqKXZhbHVlKSA9IDA7CisgICAgICAgICpzdGF0aWNfY2Fz dDx1aW50MzIqPih2YWx1ZSkgPSAwOwogICAgICAgICByZXR1cm4gTlBFUlJfTk9fRVJST1I7CiAK ICAgICBjYXNlIE5QTlZqYXZhc2NyaXB0RW5hYmxlZEJvb2w6Ci0gICAgICAgICooKHVpbnQzMiAq KXZhbHVlKSA9IHRydWU7CisgICAgICAgICpzdGF0aWNfY2FzdDxOUEJvb2wqPih2YWx1ZSkgPSB0 cnVlOwogICAgICAgICByZXR1cm4gTlBFUlJfTk9fRVJST1I7CiAKICAgICBkZWZhdWx0OgpAQCAt Mjc3LDcgKzI3Nyw3IEBAIE5QRXJyb3IgUGx1Z2luVmlldzo6Z2V0VmFsdWUoTlBOVmFyaWFibGUg dmFyaWFibGUsIHZvaWQqIHZhbHVlKQogICAgIH0KIAogICAgIGNhc2UgTlBOVnN1cHBvcnRzQ29y ZUdyYXBoaWNzQm9vbDoKLSAgICAgICAgKigodWludDMyICopdmFsdWUpID0gdHJ1ZTsKKyAgICAg ICAgKnN0YXRpY19jYXN0PE5QQm9vbCo+KHZhbHVlKSA9IHRydWU7CiAgICAgICAgIHJldHVybiBO UEVSUl9OT19FUlJPUjsKIAogICAgIGRlZmF1bHQ6CmRpZmYgLS1naXQgYS9XZWJDb3JlL3BsdWdp bnMvcXQvUGx1Z2luVmlld1F0LmNwcCBiL1dlYkNvcmUvcGx1Z2lucy9xdC9QbHVnaW5WaWV3UXQu Y3BwCmluZGV4IDQ5ODJkMDguLmEyYTgwMGEgMTAwNjQ0Ci0tLSBhL1dlYkNvcmUvcGx1Z2lucy9x dC9QbHVnaW5WaWV3UXQuY3BwCisrKyBiL1dlYkNvcmUvcGx1Z2lucy9xdC9QbHVnaW5WaWV3UXQu Y3BwCkBAIC0zMDEsMTUgKzMwMSwxNSBAQCBOUEVycm9yIFBsdWdpblZpZXc6OmdldFZhbHVlU3Rh dGljKE5QTlZhcmlhYmxlIHZhcmlhYmxlLCB2b2lkKiB2YWx1ZSkKIHsKICAgICBzd2l0Y2ggKHZh cmlhYmxlKSB7CiAgICAgY2FzZSBOUE5WVG9vbGtpdDoKLSAgICAgICAgKigodWludDMyICopdmFs dWUpID0gMDsKKyAgICAgICAgKnN0YXRpY19jYXN0PHVpbnQzMio+KHZhbHVlKSA9IDA7CiAgICAg ICAgIHJldHVybiBOUEVSUl9OT19FUlJPUjsKIAogICAgIGNhc2UgTlBOVlN1cHBvcnRzWEVtYmVk Qm9vbDoKLSAgICAgICAgKigodWludDMyICopdmFsdWUpID0gdHJ1ZTsKKyAgICAgICAgKnN0YXRp Y19jYXN0PE5QQm9vbCo+KHZhbHVlKSA9IHRydWU7CiAgICAgICAgIHJldHVybiBOUEVSUl9OT19F UlJPUjsKIAogICAgIGNhc2UgTlBOVmphdmFzY3JpcHRFbmFibGVkQm9vbDoKLSAgICAgICAgKigo dWludDMyICopdmFsdWUpID0gdHJ1ZTsKKyAgICAgICAgKnN0YXRpY19jYXN0PE5QQm9vbCo+KHZh bHVlKSA9IHRydWU7CiAgICAgICAgIHJldHVybiBOUEVSUl9OT19FUlJPUjsKIAogICAgIGRlZmF1 bHQ6Cg==