/hg/release/icedtea-web-1.2: Fixes PR1106, buffer overflow in pl...
adomurad at icedtea.classpath.org
adomurad at icedtea.classpath.org
Tue Aug 7 07:59:56 PDT 2012
changeset f6cdd8639a8d in /hg/release/icedtea-web-1.2
details: http://icedtea.classpath.org/hg/release/icedtea-web-1.2?cmd=changeset;node=f6cdd8639a8d
author: Adam Domurad <adomurad at redhat.com>
date: Tue Aug 07 10:59:11 2012 -0400
Fixes PR1106, buffer overflow in plugin table
diffstat:
ChangeLog | 7 +++++++
NEWS | 2 ++
plugin/icedteanp/IcedTeaNPPlugin.cc | 7 ++++++-
3 files changed, 15 insertions(+), 1 deletions(-)
diffs (44 lines):
diff -r a0ac102c8ed5 -r f6cdd8639a8d ChangeLog
--- a/ChangeLog Thu Aug 02 09:11:37 2012 -0400
+++ b/ChangeLog Tue Aug 07 10:59:11 2012 -0400
@@ -1,3 +1,10 @@
+2012-08-07 Adam Domurad <adomurad at redhat.com>
+
+ Fixes PR1106, plugin crashing with firefox + archlinux/gentoo
+ * plugin/icedteanp/IcedTeaNPPlugin.cc
+ (initialize_browser_functions): Account for the fact that
+ browserTable->size can be larger than sizeof(NPNetscapeFuncs)
+
2012-08-02 Adam Domurad <adomurad at redhat.com>
* plugin/icedteanp/IcedTeaPluginUtils.cc: Fixed a typo that prevented
diff -r a0ac102c8ed5 -r f6cdd8639a8d NEWS
--- a/NEWS Thu Aug 02 09:11:37 2012 -0400
+++ b/NEWS Tue Aug 07 10:59:11 2012 -0400
@@ -9,6 +9,8 @@
CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release 1.2.2 (2012-XX-XX):
+* Plugin
+ - PR1106: Buffer overflow in plugin table
New in release 1.2.1 (2012-07-31):
* Security Updates
diff -r a0ac102c8ed5 -r f6cdd8639a8d plugin/icedteanp/IcedTeaNPPlugin.cc
--- a/plugin/icedteanp/IcedTeaNPPlugin.cc Thu Aug 02 09:11:37 2012 -0400
+++ b/plugin/icedteanp/IcedTeaNPPlugin.cc Tue Aug 07 10:59:11 2012 -0400
@@ -2053,8 +2053,13 @@
//Ensure any unused fields are NULL
memset(&browser_functions, 0, sizeof(NPNetscapeFuncs));
+
+ //browserTable->size can be larger than sizeof(NPNetscapeFuncs) (PR1106)
+ size_t copySize = browserTable->size < sizeof(NPNetscapeFuncs) ?
+ browserTable->size : sizeof(NPNetscapeFuncs);
+
//Copy fields according to given size
- memcpy(&browser_functions, browserTable, browserTable->size);
+ memcpy(&browser_functions, browserTable, copySize);
return true;
}
More information about the distro-pkg-dev
mailing list