RESOLVED FIXED 24080
NPN_GetValue casting to the wrong type and writing outside bounds
https://bugs.webkit.org/show_bug.cgi?id=24080
Summary NPN_GetValue casting to the wrong type and writing outside bounds
Larry Ewing
Reported 2009-02-22 11:40:32 PST
PluginView is casting NPBool types to uint32 and as a result writing outside the memory it owns potentially trashing the stack.
Attachments
fix for the problem (708 bytes, patch)
2009-02-22 11:41 PST, Larry Ewing
no flags
Patch with ChangeLog (1.28 KB, patch)
2009-02-23 07:58 PST, Larry Ewing
no flags
Patch for all platforms (3.34 KB, patch)
2009-02-27 12:21 PST, Larry Ewing
ap: review+
Larry Ewing
Comment 1 2009-02-22 11:41:38 PST
Created attachment 27868 [details] fix for the problem
Larry Ewing
Comment 2 2009-02-23 07:58:18 PST
Created attachment 27881 [details] Patch with ChangeLog
Alexey Proskuryakov
Comment 3 2009-02-23 13:40:53 PST
Comment on attachment 27881 [details] Patch with ChangeLog Looks like this was meant for review, marking as such.
Alexey Proskuryakov
Comment 4 2009-02-27 11:11:29 PST
Per IRC discussion, this is a problem on other platforms, too.
Alexey Proskuryakov
Comment 5 2009-02-27 11:35:23 PST
<http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/plugins/plugin_host.cc> seems to have the same issue, even though this code doesn't look like it was derived from WebKit.
Anders Carlsson
Comment 6 2009-02-27 12:10:59 PST
Comment on attachment 27881 [details] Patch with ChangeLog r=me
Alexey Proskuryakov
Comment 7 2009-02-27 12:13:15 PST
Comment on attachment 27881 [details] Patch with ChangeLog Clearing review flag, because Larry is working on a patch which will fix this for all platforms.
Larry Ewing
Comment 8 2009-02-27 12:21:27 PST
Created attachment 28099 [details] Patch for all platforms Fix the NPBool values for all platforms and use c++ style casts
Alexey Proskuryakov
Comment 9 2009-03-01 05:47:55 PST
Comment on attachment 28099 [details] Patch for all platforms r=me There are tabs in ChangeLog, they will need to be replaced with spaces when landing.
David Levin
Comment 10 2009-03-01 16:43:08 PST
Committed as r41346.
Note You need to log in before you can comment on or make changes to this bug.