Bug 19309

Summary: uninitialised variable in PluginView
Product: WebKit Reporter: Christian Persch (GNOME) (away; not reading bugmail) <chpe>
Component: Plug-insAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: alp, darin
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
patch darin: review+

Christian Persch (GNOME) (away; not reading bugmail)
Reported 2008-05-29 09:09:05 PDT
PluginView's NPP instance's pdata member is uninitialised. I was getting crashes in the totem plugins because of this; attached patch inits the var to 0. (This might have been a problem in the plugin itself, but I think it's better to be resilient against buggy plugins than just crash.)
Attachments
patch (882 bytes, patch)
2008-05-29 09:10 PDT, Christian Persch (GNOME) (away; not reading bugmail) 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Christian Persch (GNOME) (away; not reading bugmail)
Comment 1 2008-05-29 09:10:50 PDT
Created attachment 21410 [details] patch
Darin Adler
Comment 2 2008-05-29 09:50:14 PDT
Comment on attachment 21410 [details] patch Isn't it the plug-in's responsibility to initialize pdata if it wants to use it? I guess there's no harm in this in either case, so r=me.
Alp Toker
Comment 3 2008-05-29 10:01:23 PDT
The Moonlight plugin team also noticed they were relying on structures being zeroed when initialized, since this is Mozilla's behavour (at least on Linux/X11, I understand NPN_MemAlloc zeros as well as allocating while ours doesn't zero). They fixed the assumptions in their code, but I wonder if we should just go ahead and zero all newly-allocated data and structures passed to plugins as a rule rather than patching up issues individually as we discover them. If plugins in the wild are assuming the allocated data is zeroed and transmitting uninitialised buffers over the network this could lead to security issues even in plugins that seem to work fine.
Alp Toker
Comment 4 2008-05-29 10:31:38 PDT
CC'ing Darin. We should probably skip this patch and match Mozilla's behaviour as I described since plugins are expecting zeroed input (even though the NPAPI docs warn plugin authors not to rely on this).
Darin Adler
Comment 5 2008-05-29 10:39:29 PDT
(In reply to comment #3) > The Moonlight plugin team also noticed they were relying on structures being > zeroed when initialized, since this is Mozilla's behavour (at least on > Linux/X11, I understand NPN_MemAlloc zeros as well as allocating while ours > doesn't zero). They fixed the assumptions in their code, but I wonder if we > should just go ahead and zero all newly-allocated data and structures passed to > plugins as a rule rather than patching up issues individually as we discover > them. The NPN_MemAlloc change sounds OK. Any other specific cases?
Alp Toker
Comment 6 2008-05-29 11:08:08 PDT
(In reply to comment #5) > > The NPN_MemAlloc change sounds OK. Any other specific cases? > The WebKit NPP, NPWindow, NPStream we pass to plugins are allocated as part of the C++ class, and the default memory allocator used for objects doesn't zero. There are some attempts to zero the fields, but if you take a look at PluginStream.cpp, the 'headers' field remains uninitialized until PluginStream::startStream(), by which time a plugin may already have tried to access it. Perhaps it'd be more effective to allocate and initialize these structures explicitly rather than pointing the plugin to an offset in the C++ class?
Darin Adler
Comment 7 2008-05-29 12:07:33 PDT
(In reply to comment #6) > Perhaps it'd be more effective to allocate and initialize these structures > explicitly rather than pointing the plugin to an offset in the C++ class? That sounds like overkill. It's trivial to initialize to 0: memset(&x, 0, sizeof(x)); So if we want initialization, then lets add it.
Darin Adler
Comment 8 2008-06-08 11:17:35 PDT
Committed revision 34443.
Note You need to log in before you can comment on or make changes to this bug.