[Bug 518] New: NPString.utf8characters not guaranteed to be nul-terminated

bugzilla-daemon at icedtea.classpath.org bugzilla-daemon at icedtea.classpath.org
Tue Jul 6 15:59:59 PDT 2010 

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=518

           Summary: NPString.utf8characters not guaranteed to be nul-
                    terminated
           Product: IcedTea
           Version: unspecified
          Platform: all
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: GCJWebPlugin
        AssignedTo: unassigned at icedtea.classpath.org
        ReportedBy: steven.bergom at atego.com


Any NPString object returned when communicating with the browser cannot be
assumed to be null-terminated at the appropriate place.  Working on the char*
in NPString.utf8characters with the standard string-handling functions (eg
g_strsplit, g_strlen, g_strdup) will result in unintended consequences.

For example, in plugin_get_documentbase() on lines 1030-1033 the document
location is written to the variable href by a call to
browser_functions.getproperty().  In the next section the return value is split
via a call to g_strsplit().  If the string -- href.utf8characters -- contains
junk rather than being null-terminated then it will report
"http://foo/bar.htmlgarbage" instead of "html://foo/bar.html" as the document
base.

I discovered this when testing the plugin in WebKit-1.1.90 on both Linux-x86
and Linux-ARM.  In the latter case there was an extra forward slash in the
garbage resulting in the plugin handler unable to form a correct URL to
download the applet Jar.  The x86 target just happened to not have a forward
slash but still had some extra garbage resulting in an incorrect document base.

The solution is to make a safe, local copy of NPString.utf8characters that can
be freed before return from the function.   This
    gchar** parts = g_strsplit (NPVARIANT_TO_STRING(href).UTF8Characters, "/",
-1);
should become
    gchar* safeNPString;
    safeNPString = (gchar*)g_malloc0(NPVARIANT_TO_STRING(*location).UTF8Length
+ 1);
    g_strlcpy(safeNPString,
              NPVARIANT_TO_STRING(*location).UTF8Characters,
              NPVARIANT_TO_STRING(*location).UTF8Length+1);
    gchar** parts = g_strsplit (safeNPString, "/", -1);
    g_free(safeNPString);

This needs to be done in all places where an NPString object is returned from
the browser.


-- 
Configure bugmail: http://icedtea.classpath.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the distro-pkg-dev mailing list