[Bug 1106] Icedtea 1.2.1 crashes Firefox

bugzilla-daemon at icedtea.classpath.org bugzilla-daemon at icedtea.classpath.org
Fri Aug 3 12:26:09 PDT 2012 

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1106

--- Comment #8 from Vlastimil Babka <caster at gentoo.org> ---
(In reply to comment #6)
> Looking at the trace, it appears this patch may be to blame:
> 
> http://icedtea.classpath.org/hg/release/icedtea-web-1.2/rev/a49edd57b1b3
> 
> Assigning to patch owner (Adam) to cc:

Indeed appears to be due to the patch. Here's my relevant gdb output:

...
#5  0x00007fffc0adbb68 in memcpy (__src=0x7ffff66df460, __dest=0x7fffc0cff940,
__len=<optimized out>) at /usr/include/bits/string3.h:52
#6  initialize_browser_functions (browserTable=0x7ffff66df460) at
/var/tmp/portage/dev-java/icedtea-web-1.2.1-r7/work/icedtea-web-1.2.1/plugin/icedteanp/IcedTeaNPPlugin.cc:2057
#7  NP_Initialize (browserTable=0x7ffff66df460, pluginTable=0x7fffc0d71210) at
/var/tmp/portage/dev-java/icedtea-web-1.2.1-r7/work/icedtea-web-1.2.1/plugin/icedteanp/IcedTeaNPPlugin.cc:2145
...

(gdb) up
#6  initialize_browser_functions (browserTable=0x7ffff66df460) at
/var/tmp/portage/dev-java/icedtea-web-1.2.1-r7/work/icedtea-web-1.2.1/plugin/icedteanp/IcedTeaNPPlugin.cc:2057
2057      memcpy(&browser_functions, browserTable, browserTable->size);
(gdb) l
2052      }
2053
2054      //Ensure any unused fields are NULL
2055      memset(&browser_functions, 0, sizeof(NPNetscapeFuncs));
2056      //Copy fields according to given size
2057      memcpy(&browser_functions, browserTable, browserTable->size);
2058
2059      return true;
2060    }
2061
(gdb) print (browserTable->size)
$1 = 472
(gdb) print (sizeof(NPNetscapeFuncs))
$2 = 448
(gdb) quit

So apparently it memcopies a larger memory area into a smaller one. At first
sight, the patch checks if the browserTable->size is large enough to contain
all necessary functions, but does not check if the size isn't larger than the
allocated area.

Now I have little idea about this API, so dunno how it's possible that
NPNetscapeFuncs is smaller than the actual size. Could be related to npapi-sdk
version? In Gentoo I have 0.27 installed.

However maybe it could work to just memcpy only the area of usedSize, or just
cap the reported size by the sizeof(NPNetscapeFuncs)?

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20120803/9d51ac7f/attachment.html

More information about the distro-pkg-dev mailing list