Mercurial > hg > release > icedtea-web-1.4
changeset 479:f50ebe7b01da
Fixes PR1106, buffer overflow in plugin table
author | Adam Domurad <adomurad@redhat.com> |
---|---|
date | Tue, 07 Aug 2012 10:57:02 -0400 |
parents | 31b729370710 |
children | 4abd45fba03d |
files | ChangeLog NEWS plugin/icedteanp/IcedTeaNPPlugin.cc |
diffstat | 3 files changed, 16 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Tue Aug 07 12:24:29 2012 +0200 +++ b/ChangeLog Tue Aug 07 10:57:02 2012 -0400 @@ -1,3 +1,10 @@ +2012-08-07 Adam Domurad <adomurad@redhat.com> + + Fixes PR1106, plugin crashing with firefox + archlinux/gentoo + * plugin/icedteanp/IcedTeaNPPlugin.cc + (initialize_browser_functions): Account for the fact that + browserTable->size can be larger than sizeof(NPNetscapeFuncs) + 2012-08-01 Saad Mohammad <smohammad@redhat.com> Fix PR1049: Extension jnlp's signed jar with the content of only META-INF/*
--- a/NEWS Tue Aug 07 12:24:29 2012 +0200 +++ b/NEWS Tue Aug 07 10:57:02 2012 -0400 @@ -12,8 +12,10 @@ * Security updates - CVE-2012-3422, RH840592: Potential read from an uninitialized memory location - CVE-2012-3423, RH841345: Incorrect handling of not 0-terminated strings +* Plugin + - PR1106: Buffer overflow in plugin table- * Common - - PR1049: Extension jnlp's signed jar with the content of only META-INF/* is considered unsigned + - PR1049: Extension jnlp's signed jar with the content of only META-INF/* is considered New in release 1.3 (2012-XX-XX): * NetX
--- a/plugin/icedteanp/IcedTeaNPPlugin.cc Tue Aug 07 12:24:29 2012 +0200 +++ b/plugin/icedteanp/IcedTeaNPPlugin.cc Tue Aug 07 10:57:02 2012 -0400 @@ -2043,8 +2043,13 @@ //Ensure any unused fields are NULL memset(&browser_functions, 0, sizeof(NPNetscapeFuncs)); + + //browserTable->size can be larger than sizeof(NPNetscapeFuncs) (PR1106) + size_t copySize = browserTable->size < sizeof(NPNetscapeFuncs) ? + browserTable->size : sizeof(NPNetscapeFuncs); + //Copy fields according to given size - memcpy(&browser_functions, browserTable, browserTable->size); + memcpy(&browser_functions, browserTable, copySize); return true; }