Closed
Bug 192445
Opened 22 years ago
Closed 22 years ago
Plugin shell passes garbage to victimizable plugins (0x1 as pointer for extension)
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: timeless, Assigned: timeless)
References
()
Details
(Keywords: crash)
Attachments
(1 file)
1.28 KB,
patch
|
peterlubczynski-bugs
:
review+
dbaron
:
superreview+
|
Details | Diff | Splinter Review |
This seems familiar, but i can't find it reported perhaps it's living in one of my other patches? but it wasn't in my tree because it crashed there. anyway. problem is present in cvs head (lxr/bonsai inspection) problem reproduced using windows 2003020208 talkback nightly steps to reproduce: load the url expected results: some plugin thing which tells me i need a plugin or something to handle application/timeless content. actual results: a dialog that told me that a plugin crashed. Fragment showing where the crash is: if(szFileExtension && *szFileExtension) + szFileExtension 0x00000001 "" CPlugin::CPlugin(HINSTANCE__ * 0x07d80000, _NPP * 0x0f277a48, unsigned short 1, char * 0x0f277f08, char * 0x00000000, char * 0x00000000, char * 0x00000001, int 0) line 150 NPP_New(char * 0x0f277f08, _NPP * 0x0f277a48, unsigned short 1, short 1, char * * 0x131aa9c0, char * * 0x0ee961b8, _NPSavedData * 0x00000000) line 116 + 62 bytes ns4xPluginInstance::InitializePlugin(nsIPluginInstancePeer * 0x0f277a98) line 814 + 105 bytes ns4xPluginInstance::Initialize(ns4xPluginInstance * const 0x0f277a30, nsIPluginInstancePeer * 0x0f277a98) line 625 argn[i] 0x0ee96200 "src" argv[i] 0x13182640 "application/timeless,1" buf = argv[i] 102 /* some post-processing on the filename to attempt to extract the extension: */ 103 if(buf != NULL) 104 { 105 buf = strrchr(buf, '.'); 106 szFileExtension = ++buf; 107 } NPP_New(char * 0x0f277f08, _NPP * 0x0f277a48, unsigned short 1, short 1, char * * 0x131aa9c0, char * * 0x0ee961b8, _NPSavedData * 0x00000000) line 106 ns4xPluginInstance::InitializePlugin(nsIPluginInstancePeer * 0x0f277a98) line 814 + 105 bytes ns4xPluginInstance::Initialize(ns4xPluginInstance * const 0x0f277a30, nsIPluginInstancePeer * 0x0f277a98) line 625 nsPluginHostImpl::SetUpDefaultPluginInstance(const char * 0x0012f704, nsIURI * 0x1329f308, nsIPluginInstanceOwner * 0x0f18e9d0) line 4006 + 21 bytes nsPluginHostImpl::InstantiateEmbededPlugin(nsPluginHostImpl * const 0x03a0c27c, const char * 0x0012f704, nsIURI * 0x1329f308, nsIPluginInstanceOwner * 0x0f18e9d0) line 3422 + 23 bytes nsPluginStreamListenerPeer::OnStartRequest(nsPluginStreamListenerPeer * const 0x0f17a590, nsIRequest * 0x1328cd88, nsISupports * 0x00000000) line 2102 + 47 bytes nsDataChannel::OnStartRequest(nsDataChannel * const 0x1328cd8c, nsIRequest * 0x1328cd88, nsISupports * 0x00000000) line 527 + 34 bytes nsOnStartRequestEvent0::HandleEvent(nsOnStartRequestEvent0 * const 0x0f17a6e0) line 225 + 26 bytes nsStreamListenerEvent0::HandlePLEvent(PLEvent * 0x0f17a6f0) line 113 + 12 bytes PL_HandleEvent(PLEvent * 0x0f17a6f0) line 663 + 10 bytes PL_ProcessPendingEvents(PLEventQueue * 0x00f43000) line 593 + 9 bytes nsEventQueueImpl::ProcessPendingEvents(nsEventQueueImpl * const 0x00eb82e0) line 381 + 12 bytes nsWindow::DispatchPendingEvents() line 3721 nsWindow::ProcessMessage(unsigned int 261, unsigned int 9, long -1609629695, long * 0x0012fc48) line 3958 nsWindow::WindowProc(HWND__ * 0x00fc06c8, unsigned int 261, unsigned int 9, long -1609629695) line 1399 + 27 bytes USER32! 77e13eb0() USER32! 77e1401a() USER32! 77e13f0f() nsAppShellService::Run(nsAppShellService * const 0x03a0fc60) line 466 main1(int 5, char * * 0x002e43d0, nsISupports * 0x002d6f08) line 1543 + 32 bytes main(int 5, char * * 0x002e43d0) line 1904 + 37 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e87903() Code flaw is present in 4 files at least: mozilla/modules/plugin/default/os2/npshell.cpp mozilla/modules/plugin/default/windows/npshell.cpp mozilla/modules/plugin/samples/default/os2/npshell.cpp mozilla/modules/plugin/samples/default/windows/npshell.cpp This probably warrants an audit :(.
ok. of the four, 2 are dead, the live os/2 was patched - bug 154161. of the lxr hits only windows toolkit and mailnews sound datasource look scary.
Attachment #113936 -
Flags: superreview?(dbaron)
Attachment #113936 -
Flags: review?(peterl)
Attachment #113936 -
Flags: superreview?(dbaron) → superreview+
Comment 2•22 years ago
|
||
Comment on attachment 113936 [details] [diff] [review] fix r=peterl
Attachment #113936 -
Flags: review?(peterl) → review+
checked in
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Marking Verified Fixed. Compared attachment changes to actual checkin. http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=npshell.cpp&root=/cvsroot&subdir=mozilla/modules/plugin/samples/default/windows&command=DIFF_FRAMESET&rev1=1.5&rev2=1.6
Status: RESOLVED → VERIFIED
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•