Closed
Bug 591019
Opened 14 years ago
Closed 14 years ago
Crash if description returned by plugin is empty
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(blocking2.0 beta5+, status1.9.2 unaffected, status1.9.1 unaffected)
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | beta5+ |
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: mjarvin, Assigned: mjarvin)
References
Details
(Keywords: crash, regression, Whiteboard: [sg:nse])
Attachments
(1 file)
712 bytes,
patch
|
jaas
:
review+
|
Details | Diff | Splinter Review |
Following code is from unix implementation of
nsPluginFile::GetPluginInfo(nsPluginInfo& info, PRLibrary **outLibrary)
....
const char *description = NULL;
nperr = npGetValue(NULL, NPPVpluginDescriptionString, &description);
if (description) {
info.fDescription = PL_strdup(description);
}
else {
info.fDescription = "";
}
...
In
nsPluginFile::FreePluginInfo(nsPluginInfo& info)
......
if (info.fDescription != nsnull)
PL_strfree(info.fDescription);
If description returned by npGetValue is empty, this will result to crash, because PL_strdup is not called for "".
Assignee | ||
Comment 1•14 years ago
|
||
Added patch, which PL_strdup:s empty description string.
Comment 2•14 years ago
|
||
Not attacker-controllable, doesn't need to be security-sensitive.
Bug dependencies indicate that this is a recent regressions. Can we confirm?
In the future, please cc the module owner on security bugs, or else he may never know they are there!
Group: core-security
Miika did talk to me before filing this bug so I knew it was here, but yes, cc is even better.
Attachment #469580 -
Flags: review?(joshmoz) → review+
Comment 4•14 years ago
|
||
My read on this is that this is a regression since beta4, introduced in bug 578868, and we should take this for beta5.
blocking2.0: ? → beta5+
Keywords: regression
Comment 5•14 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
status1.9.1:
--- → unaffected
status1.9.2:
--- → unaffected
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•