Plugin shell passes garbage to victimizable plugins (0x1 as pointer for extension)

VERIFIED FIXED

Status

()

Core
Plug-ins
--
critical
VERIFIED FIXED
15 years ago
15 years ago

People

(Reporter: timeless, Assigned: timeless)

Tracking

({crash})

Trunk
x86
Windows 2000
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

fix
1.28 KB, patch
Peter Lubczynski
: review+
dbaron
: superreview+
Details | Diff | Splinter Review
(Assignee)

Description

15 years ago
This seems familiar, but i can't find it reported perhaps it's living in one of
my other patches? but it wasn't in my tree because it crashed there.

anyway. problem is present in cvs head (lxr/bonsai inspection)
problem reproduced using windows 2003020208 talkback nightly

steps to reproduce: load the url
expected results: some plugin thing which tells me i need a plugin or something
to handle application/timeless content.
actual results: a dialog that told me that a plugin crashed.

Fragment showing where the crash is:
  if(szFileExtension && *szFileExtension)
+	szFileExtension	0x00000001 ""
CPlugin::CPlugin(HINSTANCE__ * 0x07d80000, _NPP * 0x0f277a48, unsigned short 1,
char * 0x0f277f08, char * 0x00000000, char * 0x00000000, char * 0x00000001, int
0) line 150
NPP_New(char * 0x0f277f08, _NPP * 0x0f277a48, unsigned short 1, short 1, char *
* 0x131aa9c0, char * * 0x0ee961b8, _NPSavedData * 0x00000000) line 116 + 62 bytes
ns4xPluginInstance::InitializePlugin(nsIPluginInstancePeer * 0x0f277a98) line
814 + 105 bytes
ns4xPluginInstance::Initialize(ns4xPluginInstance * const 0x0f277a30,
nsIPluginInstancePeer * 0x0f277a98) line 625

argn[i] 0x0ee96200 "src"
argv[i] 0x13182640 "application/timeless,1"
buf = argv[i]
   102             /* some post-processing on the filename to attempt to extract
the extension:  */
   103             if(buf != NULL)
   104             {
   105               buf = strrchr(buf, '.');
   106               szFileExtension = ++buf;
   107             }

NPP_New(char * 0x0f277f08, _NPP * 0x0f277a48, unsigned short 1, short 1, char *
* 0x131aa9c0, char * * 0x0ee961b8, _NPSavedData * 0x00000000) line 106
ns4xPluginInstance::InitializePlugin(nsIPluginInstancePeer * 0x0f277a98) line
814 + 105 bytes
ns4xPluginInstance::Initialize(ns4xPluginInstance * const 0x0f277a30,
nsIPluginInstancePeer * 0x0f277a98) line 625
nsPluginHostImpl::SetUpDefaultPluginInstance(const char * 0x0012f704, nsIURI *
0x1329f308, nsIPluginInstanceOwner * 0x0f18e9d0) line 4006 + 21 bytes
nsPluginHostImpl::InstantiateEmbededPlugin(nsPluginHostImpl * const 0x03a0c27c,
const char * 0x0012f704, nsIURI * 0x1329f308, nsIPluginInstanceOwner *
0x0f18e9d0) line 3422 + 23 bytes
nsPluginStreamListenerPeer::OnStartRequest(nsPluginStreamListenerPeer * const
0x0f17a590, nsIRequest * 0x1328cd88, nsISupports * 0x00000000) line 2102 + 47 bytes
nsDataChannel::OnStartRequest(nsDataChannel * const 0x1328cd8c, nsIRequest *
0x1328cd88, nsISupports * 0x00000000) line 527 + 34 bytes
nsOnStartRequestEvent0::HandleEvent(nsOnStartRequestEvent0 * const 0x0f17a6e0)
line 225 + 26 bytes
nsStreamListenerEvent0::HandlePLEvent(PLEvent * 0x0f17a6f0) line 113 + 12 bytes
PL_HandleEvent(PLEvent * 0x0f17a6f0) line 663 + 10 bytes
PL_ProcessPendingEvents(PLEventQueue * 0x00f43000) line 593 + 9 bytes
nsEventQueueImpl::ProcessPendingEvents(nsEventQueueImpl * const 0x00eb82e0) line
381 + 12 bytes
nsWindow::DispatchPendingEvents() line 3721
nsWindow::ProcessMessage(unsigned int 261, unsigned int 9, long -1609629695,
long * 0x0012fc48) line 3958
nsWindow::WindowProc(HWND__ * 0x00fc06c8, unsigned int 261, unsigned int 9, long
-1609629695) line 1399 + 27 bytes
USER32! 77e13eb0()
USER32! 77e1401a()
USER32! 77e13f0f()
nsAppShellService::Run(nsAppShellService * const 0x03a0fc60) line 466
main1(int 5, char * * 0x002e43d0, nsISupports * 0x002d6f08) line 1543 + 32 bytes
main(int 5, char * * 0x002e43d0) line 1904 + 37 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77e87903()

Code flaw is present in 4 files at least:
mozilla/modules/plugin/default/os2/npshell.cpp
mozilla/modules/plugin/default/windows/npshell.cpp
mozilla/modules/plugin/samples/default/os2/npshell.cpp
mozilla/modules/plugin/samples/default/windows/npshell.cpp

This probably warrants an audit :(.
(Assignee)

Comment 1

15 years ago
Created attachment 113936 [details] [diff] [review]
fix

ok. of the four, 2 are dead, the live os/2 was patched - bug 154161.
of the lxr hits only windows toolkit and mailnews sound datasource look scary.
(Assignee)

Updated

15 years ago
Attachment #113936 - Flags: superreview?(dbaron)
Attachment #113936 - Flags: review?(peterl)
Attachment #113936 - Flags: superreview?(dbaron) → superreview+

Comment 2

15 years ago
Comment on attachment 113936 [details] [diff] [review]
fix

r=peterl
Attachment #113936 - Flags: review?(peterl) → review+
(Assignee)

Comment 3

15 years ago
checked in
Status: NEW → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.