Closed Bug 591019 Opened 14 years ago Closed 14 years ago

Crash if description returned by plugin is empty

Categories

(Core Graveyard :: Plug-ins, defect)

x86
Linux
defect
Not set
normal

Tracking

(blocking2.0 beta5+, status1.9.2 unaffected, status1.9.1 unaffected)

RESOLVED FIXED
Tracking Status
blocking2.0 --- beta5+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: mjarvin, Assigned: mjarvin)

References

Details

(Keywords: crash, regression, Whiteboard: [sg:nse])

Attachments

(1 file)

Following code is from unix implementation of  

nsPluginFile::GetPluginInfo(nsPluginInfo& info, PRLibrary **outLibrary)
....
    const char *description = NULL;
    nperr = npGetValue(NULL, NPPVpluginDescriptionString, &description);
    if (description) {
        info.fDescription = PL_strdup(description);
    }
    else {
        info.fDescription = "";
    }
...

In 

nsPluginFile::FreePluginInfo(nsPluginInfo& info)
......
if (info.fDescription != nsnull)
   PL_strfree(info.fDescription);


If description returned by npGetValue is empty, this will result to crash, because PL_strdup is not called for "".
Blocks: 578868
blocking2.0: --- → ?
Added patch, which PL_strdup:s empty description string.
Assignee: nobody → mjarvin
Status: NEW → ASSIGNED
Attachment #469580 - Flags: review?(joshmoz)
Not attacker-controllable, doesn't need to be security-sensitive.

Bug dependencies indicate that this is a recent regressions. Can we confirm?

In the future, please cc the module owner on security bugs, or else he may never know they are there!
Group: core-security
Miika did talk to me before filing this bug so I knew it was here, but yes, cc is even better.
Attachment #469580 - Flags: review?(joshmoz) → review+
Keywords: crash
Whiteboard: [sg:nse]
My read on this is that this is a regression since beta4, introduced in bug 578868, and we should take this for beta5.
blocking2.0: ? → beta5+
Keywords: regression
Pushed in http://hg.mozilla.org/mozilla-central/rev/b72a9d7381e0
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: