PluginView is casting NPBool types to uint32 and as a result writing outside the memory it owns potentially trashing the stack.
Created attachment 27868 [details] fix for the problem
Created attachment 27881 [details] Patch with ChangeLog
Comment on attachment 27881 [details] Patch with ChangeLog Looks like this was meant for review, marking as such.
Per IRC discussion, this is a problem on other platforms, too.
<http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/plugins/plugin_host.cc> seems to have the same issue, even though this code doesn't look like it was derived from WebKit.
Comment on attachment 27881 [details] Patch with ChangeLog r=me
Comment on attachment 27881 [details] Patch with ChangeLog Clearing review flag, because Larry is working on a patch which will fix this for all platforms.
Created attachment 28099 [details] Patch for all platforms Fix the NPBool values for all platforms and use c++ style casts
Comment on attachment 28099 [details] Patch for all platforms r=me There are tabs in ChangeLog, they will need to be replaced with spaces when landing.
Committed as r41346.