Overview

File icedtea-web-pr1106-firefox-crash.patch of Package icedtea-web

Index: icedtea-web-1.2.1/ChangeLog
===================================================================
--- icedtea-web-1.2.1.orig/ChangeLog	2012-07-24 20:38:05.154359763 +0200
+++ icedtea-web-1.2.1/ChangeLog	2012-08-08 14:44:47.042059960 +0200
@@ -1,3 +1,10 @@
+2012-08-07  Adam Domurad  <adomurad@redhat.com>
+
+	Fixes PR1106, plugin crashing with firefox + archlinux/gentoo
+	* plugin/icedteanp/IcedTeaNPPlugin.cc
+	(initialize_browser_functions): Account for the fact that
+	browserTable->size can be larger than sizeof(NPNetscapeFuncs)
+
 2012-07-24  Deepak Bhole <dbhole@redhat.com>
 
 	* configure.ac: Prepare for 1.2.1
Index: icedtea-web-1.2.1/NEWS
===================================================================
--- icedtea-web-1.2.1.orig/NEWS	2012-07-24 20:38:05.155359749 +0200
+++ icedtea-web-1.2.1/NEWS	2012-08-08 14:45:12.747058745 +0200
@@ -17,6 +17,7 @@
   - PR811: javaws is not handling urls with spaces (and other characters needing encoding) correctly
   - 816592: icedtea-web not loading GeoGebra java applets in Firefox or Chrome
 * Plugin
+  - PR1106: Buffer overflow in plugin table-
   - PR863: Error passing strings to applet methods in Chromium
   - PR895: IcedTea-Web searches for missing classes on each loadClass or findClass
   - PR518: NPString.utf8characters not guaranteed to be nul-terminated
Index: icedtea-web-1.2.1/plugin/icedteanp/IcedTeaNPPlugin.cc
===================================================================
--- icedtea-web-1.2.1.orig/plugin/icedteanp/IcedTeaNPPlugin.cc	2012-08-08 14:43:56.826062333 +0200
+++ icedtea-web-1.2.1/plugin/icedteanp/IcedTeaNPPlugin.cc	2012-08-08 14:44:09.008061757 +0200
@@ -2053,8 +2053,13 @@
 
   //Ensure any unused fields are NULL
   memset(&browser_functions, 0, sizeof(NPNetscapeFuncs));
+
+  //browserTable->size can be larger than sizeof(NPNetscapeFuncs) (PR1106)
+  size_t copySize = browserTable->size < sizeof(NPNetscapeFuncs) ?
+                    browserTable->size : sizeof(NPNetscapeFuncs);
+
   //Copy fields according to given size
-  memcpy(&browser_functions, browserTable, browserTable->size);
+  memcpy(&browser_functions, browserTable, copySize);
 
   return true;
 }
openSUSE Build Service is sponsored by
Places