Bug 24080 - NPN_GetValue casting to the wrong type and writing outside bounds
Summary: NPN_GetValue casting to the wrong type and writing outside bounds
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Plug-ins (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-02-22 11:40 PST by Larry Ewing
Modified: 2009-03-01 16:43 PST (History)
2 users (show)

See Also:


Attachments
fix for the problem (708 bytes, patch)
2009-02-22 11:41 PST, Larry Ewing
no flags Details | Formatted Diff | Diff
Patch with ChangeLog (1.28 KB, patch)
2009-02-23 07:58 PST, Larry Ewing
no flags Details | Formatted Diff | Diff
Patch for all platforms (3.34 KB, patch)
2009-02-27 12:21 PST, Larry Ewing
ap: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Larry Ewing 2009-02-22 11:40:32 PST
PluginView is casting NPBool types to uint32 and as a result writing outside the memory it owns potentially trashing the stack.
Comment 1 Larry Ewing 2009-02-22 11:41:38 PST
Created attachment 27868 [details]
fix for the problem
Comment 2 Larry Ewing 2009-02-23 07:58:18 PST
Created attachment 27881 [details]
Patch with ChangeLog
Comment 3 Alexey Proskuryakov 2009-02-23 13:40:53 PST
Comment on attachment 27881 [details]
Patch with ChangeLog

Looks like this was meant for review, marking as such.
Comment 4 Alexey Proskuryakov 2009-02-27 11:11:29 PST
Per IRC discussion, this is a problem on other platforms, too.
Comment 5 Alexey Proskuryakov 2009-02-27 11:35:23 PST
<http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/plugins/plugin_host.cc> seems to have the same issue, even though this code doesn't look like it was derived from WebKit.
Comment 6 Anders Carlsson 2009-02-27 12:10:59 PST
Comment on attachment 27881 [details]
Patch with ChangeLog

r=me
Comment 7 Alexey Proskuryakov 2009-02-27 12:13:15 PST
Comment on attachment 27881 [details]
Patch with ChangeLog

Clearing review flag, because Larry is working on a patch which will fix this for all platforms.
Comment 8 Larry Ewing 2009-02-27 12:21:27 PST
Created attachment 28099 [details]
Patch for all platforms

Fix the NPBool values for all platforms and use c++ style casts
Comment 9 Alexey Proskuryakov 2009-03-01 05:47:55 PST
Comment on attachment 28099 [details]
Patch for all platforms

r=me

There are tabs in ChangeLog, they will need to be replaced with spaces when landing.
Comment 10 David Levin 2009-03-01 16:43:08 PST
Committed as r41346.