Summary: | uninitialised variable in PluginView | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Christian Persch (GNOME) (away; not reading bugmail) <chpe> | ||||
Component: | Plug-ins | Assignee: | Nobody <webkit-unassigned> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | alp, darin | ||||
Priority: | P2 | ||||||
Version: | 528+ (Nightly build) | ||||||
Hardware: | PC | ||||||
OS: | OS X 10.5 | ||||||
Attachments: |
|
Description
Christian Persch (GNOME) (away; not reading bugmail)
2008-05-29 09:09:05 PDT
Created attachment 21410 [details]
patch
Comment on attachment 21410 [details]
patch
Isn't it the plug-in's responsibility to initialize pdata if it wants to use it?
I guess there's no harm in this in either case, so r=me.
The Moonlight plugin team also noticed they were relying on structures being zeroed when initialized, since this is Mozilla's behavour (at least on Linux/X11, I understand NPN_MemAlloc zeros as well as allocating while ours doesn't zero). They fixed the assumptions in their code, but I wonder if we should just go ahead and zero all newly-allocated data and structures passed to plugins as a rule rather than patching up issues individually as we discover them. If plugins in the wild are assuming the allocated data is zeroed and transmitting uninitialised buffers over the network this could lead to security issues even in plugins that seem to work fine. CC'ing Darin. We should probably skip this patch and match Mozilla's behaviour as I described since plugins are expecting zeroed input (even though the NPAPI docs warn plugin authors not to rely on this). (In reply to comment #3) > The Moonlight plugin team also noticed they were relying on structures being > zeroed when initialized, since this is Mozilla's behavour (at least on > Linux/X11, I understand NPN_MemAlloc zeros as well as allocating while ours > doesn't zero). They fixed the assumptions in their code, but I wonder if we > should just go ahead and zero all newly-allocated data and structures passed to > plugins as a rule rather than patching up issues individually as we discover > them. The NPN_MemAlloc change sounds OK. Any other specific cases? (In reply to comment #5) > > The NPN_MemAlloc change sounds OK. Any other specific cases? > The WebKit NPP, NPWindow, NPStream we pass to plugins are allocated as part of the C++ class, and the default memory allocator used for objects doesn't zero. There are some attempts to zero the fields, but if you take a look at PluginStream.cpp, the 'headers' field remains uninitialized until PluginStream::startStream(), by which time a plugin may already have tried to access it. Perhaps it'd be more effective to allocate and initialize these structures explicitly rather than pointing the plugin to an offset in the C++ class? (In reply to comment #6) > Perhaps it'd be more effective to allocate and initialize these structures > explicitly rather than pointing the plugin to an offset in the C++ class? That sounds like overkill. It's trivial to initialize to 0: memset(&x, 0, sizeof(x)); So if we want initialization, then lets add it. Committed revision 34443. |