If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Crash if description returned by plugin is empty

RESOLVED FIXED

Status

()

Core
Plug-ins
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: Miika Jarvinen, Assigned: Miika Jarvinen)

Tracking

({crash, regression})

Trunk
x86
Linux
crash, regression
Points:
---

Firefox Tracking Flags

(blocking2.0 beta5+, status1.9.2 unaffected, status1.9.1 unaffected)

Details

(Whiteboard: [sg:nse])

Attachments

(1 attachment)

(Assignee)

Description

7 years ago
Following code is from unix implementation of  

nsPluginFile::GetPluginInfo(nsPluginInfo& info, PRLibrary **outLibrary)
....
    const char *description = NULL;
    nperr = npGetValue(NULL, NPPVpluginDescriptionString, &description);
    if (description) {
        info.fDescription = PL_strdup(description);
    }
    else {
        info.fDescription = "";
    }
...

In 

nsPluginFile::FreePluginInfo(nsPluginInfo& info)
......
if (info.fDescription != nsnull)
   PL_strfree(info.fDescription);


If description returned by npGetValue is empty, this will result to crash, because PL_strdup is not called for "".
(Assignee)

Updated

7 years ago
Blocks: 578868
blocking2.0: --- → ?
(Assignee)

Comment 1

7 years ago
Created attachment 469580 [details] [diff] [review]
PL_strdup empty description

Added patch, which PL_strdup:s empty description string.
Assignee: nobody → mjarvin
Status: NEW → ASSIGNED
Attachment #469580 - Flags: review?(joshmoz)

Comment 2

7 years ago
Not attacker-controllable, doesn't need to be security-sensitive.

Bug dependencies indicate that this is a recent regressions. Can we confirm?

In the future, please cc the module owner on security bugs, or else he may never know they are there!
Group: core-security

Comment 3

7 years ago
Miika did talk to me before filing this bug so I knew it was here, but yes, cc is even better.

Updated

7 years ago
Attachment #469580 - Flags: review?(joshmoz) → review+
Keywords: crash
Whiteboard: [sg:nse]
My read on this is that this is a regression since beta4, introduced in bug 578868, and we should take this for beta5.
blocking2.0: ? → beta5+
Keywords: regression
Pushed in http://hg.mozilla.org/mozilla-central/rev/b72a9d7381e0
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
You need to log in before you can comment on or make changes to this bug.