[icedtea-web][rfc] Fix for PR1106, icedtea-web crashes firefox on Gentoo, Archlinux
Deepak Bhole
dbhole at redhat.com
Tue Aug 7 06:52:51 PDT 2012
* Adam Domurad <adomurad at redhat.com> [2012-08-03 18:34]:
> Hi all, this fix was suggested by Vlastimil Babka and verified to fix
> the issue on Gentoo.
>
> The issue essentially comes up when a buffer overflow occurs writing a
> too-large browser function table, it is detected, and causes firefox to
> crash.
>
> I have modified the commenting and indenting of the fix slightly.
>
Assuming you have tested this, OK for HEAD, 1.1 and 1.2.
Cheers,
Deepak
>
> Changelog:
> 2012-08-03 Adam Domurad <adomurad at redhat.com>
>
> Fixes PR1106, plugin crashing with firefox + archlinux/gentoo
> * plugin/icedteanp/IcedTeaNPPlugin.cc
> (initialize_browser_functions): Account for the fact that
> browserTable->size can be larger than sizeof(NPNetscapeFuncs)
> diff --git a/plugin/icedteanp/IcedTeaNPPlugin.cc b/plugin/icedteanp/IcedTeaNPPlugin.cc
> --- a/plugin/icedteanp/IcedTeaNPPlugin.cc
> +++ b/plugin/icedteanp/IcedTeaNPPlugin.cc
> @@ -2043,8 +2043,13 @@ initialize_browser_functions(const NPNet
>
> //Ensure any unused fields are NULL
> memset(&browser_functions, 0, sizeof(NPNetscapeFuncs));
> +
> + //browserTable->size can be larger than sizeof(NPNetscapeFuncs) (PR1106)
> + size_t copySize = browserTable->size < sizeof(NPNetscapeFuncs) ?
> + browserTable->size : sizeof(NPNetscapeFuncs);
> +
> //Copy fields according to given size
> - memcpy(&browser_functions, browserTable, browserTable->size);
> + memcpy(&browser_functions, browserTable, copySize);
>
> return true;
> }
More information about the distro-pkg-dev
mailing list