[Bug 2714] New: IcedTea-Web plugin sends uninitialized memory garbage across a pipe when NPN_GetValueForURL call fails

bugzilla-daemon at icedtea.classpath.org bugzilla-daemon at icedtea.classpath.org
Fri Nov 13 13:30:29 UTC 2015 

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2714

            Bug ID: 2714
           Summary: IcedTea-Web plugin sends uninitialized memory garbage
                    across a pipe when NPN_GetValueForURL call fails
           Product: IcedTea-Web
           Version: unspecified
          Hardware: x86_64
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Plugin
          Assignee: jvanek at redhat.com
          Reporter: tdaitx at gmail.com
                CC: unassigned at icedtea.classpath.org

Created attachment 1445
  --> http://icedtea.classpath.org/bugzilla/attachment.cgi?id=1445&action=edit
handle error when NPN_GetValueForURL call fails

Original bug report:
https://bugs.launchpad.net/ubuntu/+source/icedtea-web/+bug/1222912

Here's the real issue, one call further in, in the get_proxy_info function:

      gpointer instance=getFirstInTableInstance(instance_to_id_map);
      browser_functions.getvalueforurl((NPP) instance, NPNURLVProxy, siteAddr,
proxy, len);

looking at the docs for that function (NPN_GetValueForURL), the signature is:

NPError NPN_GetValueForURL(NPP instance, NPNURLVariable variable, const char
*url, char **value, uint32_t *len);

and an important point called out for the value parameter:

*Note: the value may have internal NULL bytes and may not be NULL-terminated.*

importantly, neither the return value nor len are actually checked before
moving on and attempting to use the value.

When Firefox is set to use a PAC file that doesn't exist, the function call
fails, no allocation happens for **value (leaving whatever garbage was in
memory before), len is set to 0, but IcedTea disregards that and continues on
as though it succeeded, and concatenates random memory garbage to the plugin
PluginProxyInfo string that is to be sent over to the java process.

Back in the previous function call, it is enough to work around the bug by
changing gchar* proxy; to gchar* proxy = NULL;, but it is perhaps only
partially correct. Attached here is a patch that resolves the issue in my case.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20151113/c8a0bf1c/attachment.html>

More information about the distro-pkg-dev mailing list