/hg/icedtea-web: Fixes PR1106, buffer overflow in plugin table

adomurad at icedtea.classpath.org adomurad at icedtea.classpath.org
Tue Aug 7 07:58:23 PDT 2012 

changeset f50ebe7b01da in /hg/icedtea-web
details: http://icedtea.classpath.org/hg/icedtea-web?cmd=changeset;node=f50ebe7b01da
author: Adam Domurad <adomurad at redhat.com>
date: Tue Aug 07 10:57:02 2012 -0400

	Fixes PR1106, buffer overflow in plugin table


diffstat:

 ChangeLog                           |  7 +++++++
 NEWS                                |  4 +++-
 plugin/icedteanp/IcedTeaNPPlugin.cc |  7 ++++++-
 3 files changed, 16 insertions(+), 2 deletions(-)

diffs (47 lines):

diff -r 31b729370710 -r f50ebe7b01da ChangeLog
--- a/ChangeLog	Tue Aug 07 12:24:29 2012 +0200
+++ b/ChangeLog	Tue Aug 07 10:57:02 2012 -0400
@@ -1,3 +1,10 @@
+2012-08-07  Adam Domurad  <adomurad at redhat.com>
+
+	Fixes PR1106, plugin crashing with firefox + archlinux/gentoo
+	* plugin/icedteanp/IcedTeaNPPlugin.cc
+	(initialize_browser_functions): Account for the fact that
+	browserTable->size can be larger than sizeof(NPNetscapeFuncs)
+
 2012-08-01  Saad Mohammad  <smohammad at redhat.com>
 
 	Fix PR1049: Extension jnlp's signed jar with the content of only META-INF/*
diff -r 31b729370710 -r f50ebe7b01da NEWS
--- a/NEWS	Tue Aug 07 12:24:29 2012 +0200
+++ b/NEWS	Tue Aug 07 10:57:02 2012 -0400
@@ -12,8 +12,10 @@
 * Security updates
   - CVE-2012-3422, RH840592: Potential read from an uninitialized memory location
   - CVE-2012-3423, RH841345: Incorrect handling of not 0-terminated strings
+* Plugin
+  - PR1106: Buffer overflow in plugin table-
 * Common
-  - PR1049: Extension jnlp's signed jar with the content of only META-INF/* is considered unsigned
+  - PR1049: Extension jnlp's signed jar with the content of only META-INF/* is considered
 
 New in release 1.3 (2012-XX-XX):
 * NetX
diff -r 31b729370710 -r f50ebe7b01da plugin/icedteanp/IcedTeaNPPlugin.cc
--- a/plugin/icedteanp/IcedTeaNPPlugin.cc	Tue Aug 07 12:24:29 2012 +0200
+++ b/plugin/icedteanp/IcedTeaNPPlugin.cc	Tue Aug 07 10:57:02 2012 -0400
@@ -2043,8 +2043,13 @@
 
   //Ensure any unused fields are NULL
   memset(&browser_functions, 0, sizeof(NPNetscapeFuncs));
+
+  //browserTable->size can be larger than sizeof(NPNetscapeFuncs) (PR1106)
+  size_t copySize = browserTable->size < sizeof(NPNetscapeFuncs) ?
+                    browserTable->size : sizeof(NPNetscapeFuncs);
+
   //Copy fields according to given size
-  memcpy(&browser_functions, browserTable, browserTable->size);
+  memcpy(&browser_functions, browserTable, copySize);
 
   return true;
 }

More information about the distro-pkg-dev mailing list