Bug 731917 prevent plugins from corrupting the stack by making word-size... (29c2d84d) · Commits · Tommy Webb / Tor Browser

dom/plugins/base/nsNPAPIPlugin.cpp

+11 −4

Original line number	Diff line number	Diff line
		@@ -2020,15 +2020,22 @@ _getvalue(NPP npp, NPNVariable variable, void *result)
		nsNPAPIPluginInstance inst = (nsNPAPIPluginInstance ) npp->ndata;
		bool windowless = false;
		inst->IsWindowless(&windowless);
		NPBool needXEmbed = false;
		// The documentation on the types for many variables in NP(N\|P)_GetValue
		// is vague. Often boolean values are NPBool (1 byte), but
		// https://developer.mozilla.org/en/XEmbed_Extension_for_Mozilla_Plugins
		// treats NPPVpluginNeedsXEmbed as PRBool (int), and
		// on x86/32-bit, flash stores to this using \|movl 0x1,&needsXEmbed\|.
		// thus we can't use NPBool for needsXEmbed, or the three bytes above
		// it on the stack would get clobbered. so protect with the larger bool.
		int needsXEmbed = 0;
		if (!windowless) {
		res = inst->GetValueFromPlugin(NPPVpluginNeedsXEmbed, &needXEmbed);
		res = inst->GetValueFromPlugin(NPPVpluginNeedsXEmbed, &needsXEmbed);
		// If the call returned an error code make sure we still use our default value.
		if (NS_FAILED(res)) {
		needXEmbed = false;
		needsXEmbed = 0;
		}
		}
		if (windowless \|\| needXEmbed) {
		if (windowless \|\| needsXEmbed) {
		((Display *)result) = mozilla::DefaultXDisplay();
		return NPERR_NO_ERROR;
		}

+12 −5

Original line number	Diff line number	Diff line
		@@ -120,17 +120,24 @@ nsresult nsPluginNativeWindowGtk2::CallSetWindow(nsRefPtr<nsNPAPIPluginInstance>
		if (!mSocketWidget) {
		nsresult rv;

		bool needXEmbed = false;
		rv = aPluginInstance->GetValueFromPlugin(NPPVpluginNeedsXEmbed, &needXEmbed);
		// The documentation on the types for many variables in NP(N\|P)_GetValue
		// is vague. Often boolean values are NPBool (1 byte), but
		// https://developer.mozilla.org/en/XEmbed_Extension_for_Mozilla_Plugins
		// treats NPPVpluginNeedsXEmbed as PRBool (int), and
		// on x86/32-bit, flash stores to this using \|movl 0x1,&needsXEmbed\|.
		// thus we can't use NPBool for needsXEmbed, or the three bytes above
		// it on the stack would get clobbered. so protect with the larger bool.
		int needsXEmbed = 0;
		rv = aPluginInstance->GetValueFromPlugin(NPPVpluginNeedsXEmbed, &needsXEmbed);
		// If the call returned an error code make sure we still use our default value.
		if (NS_FAILED(rv)) {
		needXEmbed = false;
		needsXEmbed = 0;
		}
		#ifdef DEBUG
		printf("nsPluginNativeWindowGtk2: NPPVpluginNeedsXEmbed=%d\n", needXEmbed);
		printf("nsPluginNativeWindowGtk2: NPPVpluginNeedsXEmbed=%d\n", needsXEmbed);
		#endif

		if (needXEmbed) {
		if (needsXEmbed) {
		rv = CreateXEmbedWindow();
		}
		else {

+2 −2

Original line number	Diff line number	Diff line
		@@ -625,11 +625,11 @@ PluginInstanceChild::AnswerNPP_GetValue_NPPVpluginNeedsXEmbed(
		// The documentation on the types for many variables in NP(N\|P)_GetValue
		// is vague. Often boolean values are NPBool (1 byte), but
		// https://developer.mozilla.org/en/XEmbed_Extension_for_Mozilla_Plugins
		// treats NPPVpluginNeedsXEmbed as bool (int), and
		// treats NPPVpluginNeedsXEmbed as PRBool (int), and
		// on x86/32-bit, flash stores to this using \|movl 0x1,&needsXEmbed\|.
		// thus we can't use NPBool for needsXEmbed, or the three bytes above
		// it on the stack would get clobbered. so protect with the larger bool.
		PRUint32 needsXEmbed = 0;
		int needsXEmbed = 0;
		if (!mPluginIface->getvalue) {
		*rv = NPERR_GENERIC_ERROR;
		}