# HG changeset patch
# User Adam Domurad <adomurad@redhat.com>
# Date 1344351551 14400
# Node ID f6cdd8639a8daa4315d9ba5084f2e4c7235364b4
# Parent  a0ac102c8ed5a8b766a5524dcaa75200c2c70289
Fixes PR1106, buffer overflow in plugin table

diff -r a0ac102c8ed5 -r f6cdd8639a8d ChangeLog
--- a/ChangeLog	Thu Aug 02 09:11:37 2012 -0400
+++ b/ChangeLog	Tue Aug 07 10:59:11 2012 -0400
@@ -1,3 +1,10 @@
+2012-08-07  Adam Domurad  <adomurad@redhat.com>
+
+	Fixes PR1106, plugin crashing with firefox + archlinux/gentoo
+	* plugin/icedteanp/IcedTeaNPPlugin.cc
+	(initialize_browser_functions): Account for the fact that
+	browserTable->size can be larger than sizeof(NPNetscapeFuncs)
+
 2012-08-02  Adam Domurad  <adomurad@redhat.com>
 
 	* plugin/icedteanp/IcedTeaPluginUtils.cc: Fixed a typo that prevented 
diff -r a0ac102c8ed5 -r f6cdd8639a8d NEWS
--- a/NEWS	Thu Aug 02 09:11:37 2012 -0400
+++ b/NEWS	Tue Aug 07 10:59:11 2012 -0400
@@ -9,6 +9,8 @@
 CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
 
 New in release 1.2.2 (2012-XX-XX):
+* Plugin
+  - PR1106: Buffer overflow in plugin table
 
 New in release 1.2.1 (2012-07-31):
 * Security Updates
diff -r a0ac102c8ed5 -r f6cdd8639a8d plugin/icedteanp/IcedTeaNPPlugin.cc
--- a/plugin/icedteanp/IcedTeaNPPlugin.cc	Thu Aug 02 09:11:37 2012 -0400
+++ b/plugin/icedteanp/IcedTeaNPPlugin.cc	Tue Aug 07 10:59:11 2012 -0400
@@ -2053,8 +2053,13 @@
 
   //Ensure any unused fields are NULL
   memset(&browser_functions, 0, sizeof(NPNetscapeFuncs));
+
+  //browserTable->size can be larger than sizeof(NPNetscapeFuncs) (PR1106)
+  size_t copySize = browserTable->size < sizeof(NPNetscapeFuncs) ?
+                    browserTable->size : sizeof(NPNetscapeFuncs);
+
   //Copy fields according to given size
-  memcpy(&browser_functions, browserTable, browserTable->size);
+  memcpy(&browser_functions, browserTable, copySize);
 
   return true;
 }