Closed Bug 192445 Opened 22 years ago Closed 22 years ago

Plugin shell passes garbage to victimizable plugins (0x1 as pointer for extension)

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: timeless, Assigned: timeless)

References

(
URL
)

Details

(Keywords: crash)

Attachments

(1 file)

fix
1.28 KB, patch
peterlubczynski-bugs
: review+
dbaron
: superreview+
Details | Diff | Splinter Review 
This seems familiar, but i can't find it reported perhaps it's living in one of
my other patches? but it wasn't in my tree because it crashed there.

anyway. problem is present in cvs head (lxr/bonsai inspection)
problem reproduced using windows 2003020208 talkback nightly

steps to reproduce: load the url
expected results: some plugin thing which tells me i need a plugin or something
to handle application/timeless content.
actual results: a dialog that told me that a plugin crashed.

Fragment showing where the crash is:
  if(szFileExtension && *szFileExtension)
+	szFileExtension	0x00000001 ""
CPlugin::CPlugin(HINSTANCE__ * 0x07d80000, _NPP * 0x0f277a48, unsigned short 1,
char * 0x0f277f08, char * 0x00000000, char * 0x00000000, char * 0x00000001, int
0) line 150
NPP_New(char * 0x0f277f08, _NPP * 0x0f277a48, unsigned short 1, short 1, char *
* 0x131aa9c0, char * * 0x0ee961b8, _NPSavedData * 0x00000000) line 116 + 62 bytes
ns4xPluginInstance::InitializePlugin(nsIPluginInstancePeer * 0x0f277a98) line
814 + 105 bytes
ns4xPluginInstance::Initialize(ns4xPluginInstance * const 0x0f277a30,
nsIPluginInstancePeer * 0x0f277a98) line 625

argn[i] 0x0ee96200 "src"
argv[i] 0x13182640 "application/timeless,1"
buf = argv[i]
   102             /* some post-processing on the filename to attempt to extract
the extension:  */
   103             if(buf != NULL)
   104             {
   105               buf = strrchr(buf, '.');
   106               szFileExtension = ++buf;
   107             }

NPP_New(char * 0x0f277f08, _NPP * 0x0f277a48, unsigned short 1, short 1, char *
* 0x131aa9c0, char * * 0x0ee961b8, _NPSavedData * 0x00000000) line 106
ns4xPluginInstance::InitializePlugin(nsIPluginInstancePeer * 0x0f277a98) line
814 + 105 bytes
ns4xPluginInstance::Initialize(ns4xPluginInstance * const 0x0f277a30,
nsIPluginInstancePeer * 0x0f277a98) line 625
nsPluginHostImpl::SetUpDefaultPluginInstance(const char * 0x0012f704, nsIURI *
0x1329f308, nsIPluginInstanceOwner * 0x0f18e9d0) line 4006 + 21 bytes
nsPluginHostImpl::InstantiateEmbededPlugin(nsPluginHostImpl * const 0x03a0c27c,
const char * 0x0012f704, nsIURI * 0x1329f308, nsIPluginInstanceOwner *
0x0f18e9d0) line 3422 + 23 bytes
nsPluginStreamListenerPeer::OnStartRequest(nsPluginStreamListenerPeer * const
0x0f17a590, nsIRequest * 0x1328cd88, nsISupports * 0x00000000) line 2102 + 47 bytes
nsDataChannel::OnStartRequest(nsDataChannel * const 0x1328cd8c, nsIRequest *
0x1328cd88, nsISupports * 0x00000000) line 527 + 34 bytes
nsOnStartRequestEvent0::HandleEvent(nsOnStartRequestEvent0 * const 0x0f17a6e0)
line 225 + 26 bytes
nsStreamListenerEvent0::HandlePLEvent(PLEvent * 0x0f17a6f0) line 113 + 12 bytes
PL_HandleEvent(PLEvent * 0x0f17a6f0) line 663 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00f43000) line 593 + 9 bytes
nsEventQueueImpl::ProcessPendingEvents(nsEventQueueImpl * const 0x00eb82e0) line
381 + 12 bytes
nsWindow::DispatchPendingEvents() line 3721
nsWindow::ProcessMessage(unsigned int 261, unsigned int 9, long -1609629695,
long * 0x0012fc48) line 3958
nsWindow::WindowProc(HWND__ * 0x00fc06c8, unsigned int 261, unsigned int 9, long
-1609629695) line 1399 + 27 bytes
USER32! 77e13eb0()
USER32! 77e1401a()
USER32! 77e13f0f()
nsAppShellService::Run(nsAppShellService * const 0x03a0fc60) line 466
main1(int 5, char * * 0x002e43d0, nsISupports * 0x002d6f08) line 1543 + 32 bytes
main(int 5, char * * 0x002e43d0) line 1904 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e87903()

Code flaw is present in 4 files at least:
mozilla/modules/plugin/default/os2/npshell.cpp
mozilla/modules/plugin/default/windows/npshell.cpp
mozilla/modules/plugin/samples/default/os2/npshell.cpp
mozilla/modules/plugin/samples/default/windows/npshell.cpp

This probably warrants an audit :(.
Attached patch fixSplinter Review 
ok. of the four, 2 are dead, the live os/2 was patched - bug 154161.
of the lxr hits only windows toolkit and mailnews sound datasource look scary.
Attachment #113936 - Flags: superreview?(dbaron)
Attachment #113936 - Flags: review?(peterl)
Attachment #113936 - Flags: superreview?(dbaron) → superreview+
Comment on attachment 113936 [details] [diff] [review]
fix

r=peterl
Attachment #113936 - Flags: review?(peterl) → review+
checked in
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: