Closed
Bug 1106552
Opened 10 years ago
Closed 10 years ago
NPAPI plugin can get corrupted string inside NPVariant (leads to plugin crash)
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
mozilla37
People
(Reporter: sekogan, Assigned: gfritzsche)
Details
Attachments
(1 file)
(deleted),
patch
|
benjamin
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0 Build ID: 20141128004001 Steps to reproduce: 1. Make an NPAPI plugin for Firefox. 2. In the Javascript part of the plugin call some function from the native part. Pass a big string as a parameter with a zero byte in the middle: var bad_data = 'helloworld' + 'x'.repeat(130000) + '\x00' + 'x'.repeat(130000); functionFromNpapiPlugin(bad_data); 3. In the NPAPI part of the plugin try to copy the string from NPVariant. Actual bug is located at line 63 of http://mxr.mozilla.org/mozilla-central/source/dom/plugins/ipc/PluginScriptableObjectUtils-inl.h String is copied using strdup despite the fact that it is not zero terminated and can contain zero bytes inside. Actual results: Actual: length (NPVariant::value::stringValue::utf8length) is unchanged (260010) but content (NPVariant::value::stringValue::utf8characters) has only the first 130010+1 bytes. Plugin generates access violation while trying to read the string beyond the zero byte. Please find attached dump of some real NPAPI plugin. The third argument of invoke (convertedArgs.Elements()[2]) has NPVariant with corrupted string. Expected results: Expected: length and content of the string are unchanged. Plugin can read content of the string.
Reporter | ||
Comment 1•10 years ago
|
||
Dump can be downloaded here: https://www.dropbox.com/s/m4pkhimd24a6vc2/plugin_container_33_1_1.zip?dl=0
Assignee | ||
Comment 2•10 years ago
|
||
Thanks for the detailed report here.
Assignee: nobody → georg.fritzsche
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Updated•10 years ago
|
Attachment #8534525 -
Flags: review?(benjamin) → review+
Assignee | ||
Comment 4•10 years ago
|
||
https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=66e636ea4ff3 https://tbpl.mozilla.org/?tree=Try&rev=66e636ea4ff3
Assignee | ||
Comment 5•10 years ago
|
||
And with fixed null-termination: https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=6f124ad79035 https://tbpl.mozilla.org/?tree=Try&rev=6f124ad79035
Assignee | ||
Comment 6•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/445905b4d3c3
https://hg.mozilla.org/mozilla-central/rev/445905b4d3c3
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•