# HG changeset patch # User Adam Domurad # Date 1344351798 14400 # Node ID bc280713fc347b2b8fe366f0aa3a613876bf3931 # Parent b64886a766cc138d566b2f3719179aaab910c421 Fixes PR1106, buffer overflow in plugin table diff -r b64886a766cc -r bc280713fc34 ChangeLog --- a/ChangeLog Tue Aug 07 12:27:20 2012 +0200 +++ b/ChangeLog Tue Aug 07 11:03:18 2012 -0400 @@ -1,3 +1,10 @@ +2012-08-07 Adam Domurad + + Fixes PR1106, plugin crashing with firefox + archlinux/gentoo + * plugin/icedteanp/IcedTeaNPPlugin.cc + (initialize_browser_functions): Account for the fact that + browserTable->size can be larger than sizeof(NPNetscapeFuncs) + 2012-07-31 Jiri Vanek Peter Hatina diff -r b64886a766cc -r bc280713fc34 NEWS --- a/NEWS Tue Aug 07 12:27:20 2012 +0200 +++ b/NEWS Tue Aug 07 11:03:18 2012 -0400 @@ -24,6 +24,7 @@ - PR722: META-INF/ unsigned entries should be ignored in signing - PR855: AppletStub getDocumentBase() doesn't return full URL - PR1011: Folders treated as jar files in archive tag + - PR1106: Buffer overflow in plugin table * Common - PR918: java applet windows uses a low resulution black/white icon - RH838417: Disambiguate signed applet security prompt from certificate warning diff -r b64886a766cc -r bc280713fc34 plugin/icedteanp/IcedTeaNPPlugin.cc --- a/plugin/icedteanp/IcedTeaNPPlugin.cc Tue Aug 07 12:27:20 2012 +0200 +++ b/plugin/icedteanp/IcedTeaNPPlugin.cc Tue Aug 07 11:03:18 2012 -0400 @@ -2043,8 +2043,13 @@ //Ensure any unused fields are NULL memset(&browser_functions, 0, sizeof(NPNetscapeFuncs)); + + //browserTable->size can be larger than sizeof(NPNetscapeFuncs) (PR1106) + size_t copySize = browserTable->size < sizeof(NPNetscapeFuncs) ? + browserTable->size : sizeof(NPNetscapeFuncs); + //Copy fields according to given size - memcpy(&browser_functions, browserTable, browserTable->size); + memcpy(&browser_functions, browserTable, copySize); return true; }