Bug 1106552 - Fix invalid conversions of string to NPVariant in plugin code. r=bsmedberg

2024-09-13 09:24:08 -07:00 · 2014-12-11 15:05:13 +01:00 · 2014-12-11 15:05:13 +01:00 · db530200c7
commit db530200c7
parent da5a1ed4e2
4 changed files with 70 additions and 4 deletions
--- a/dom/plugins/ipc/PluginScriptableObjectUtils-inl.h
+++ b/dom/plugins/ipc/PluginScriptableObjectUtils-inl.h
@ -60,12 +60,16 @@ mozilla::plugins::ConvertToVariant(const Variant& aRemoteVariant,

    case Variant::TnsCString: {
      const nsCString& string = aRemoteVariant.get_nsCString();
-      NPUTF8* buffer = reinterpret_cast<NPUTF8*>(strdup(string.get()));
+      const size_t length = string.Length();
+      NPUTF8* buffer = static_cast<NPUTF8*>(::malloc(sizeof(NPUTF8) * (length + 1)));
      if (!buffer) {
        NS_ERROR("Out of memory!");
        return false;
      }
-      STRINGN_TO_NPVARIANT(buffer, string.Length(), aVariant);
+
+      std::copy(string.get(), string.get() + length, buffer);
+      buffer[length] = '\0';
+      STRINGN_TO_NPVARIANT(buffer, length, aVariant);
      break;
    }

--- a/dom/plugins/test/mochitest/mochitest.ini
+++ b/dom/plugins/test/mochitest/mochitest.ini
@ -110,6 +110,7 @@ skip-if = toolkit != "cocoa"
 [test_src_url_change.html]
 [test_streamNotify.html]
 skip-if = e10s
+[test_stringHandling.html]
 [test_streamatclose.html]
 [test_twostreams.html]
 [test_windowed_invalidate.html]
--- a/dom/plugins/test/mochitest/test_stringHandling.html
+++ b/dom/plugins/test/mochitest/test_stringHandling.html
@ -0,0 +1,35 @@
+<html>
+<head>
+  <title>NPAPI string test</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="application/javascript" src="utils.js"></script>
+
+  <link rel="stylesheet" type="text/css"
+        href="/tests/SimpleTest/test.css" />
+</head>
+
+<body onload="runTests()">
+  <script class="testbody" type="application/javascript">
+    SimpleTest.waitForExplicitFinish();
+    setTestPluginEnabledState(SpecialPowers.Ci.nsIPluginTag.STATE_ENABLED);
+
+    function runTests() {
+      try {
+        var plugin = document.getElementById("plugin1");
+        var badData = 'foo ' + '\x00'.repeat(260000);
+        var ret = plugin.echoString(badData);
+        ok(true, "Did not crash.");
+        is(ret, badData, "Returned string should equal what we passed in.");
+      } catch (e) {
+        ok(false, "Failed to call plugin.echoString() properly.");
+      } finally {
+        SimpleTest.finish();
+      }
+    }
+  </script>
+
+  <p id="display"></p>
+
+  <embed id="plugin1" type="application/x-test" width="400" height="400"></embed>
+</body>
+</html>
--- a/dom/plugins/test/testplugin/nptest.cpp
+++ b/dom/plugins/test/testplugin/nptest.cpp
@ -171,6 +171,7 @@ static bool getLastKeyText(NPObject* npobj, const NPVariant* args, uint32_t argC
 static bool getNPNVdocumentOrigin(NPObject* npobj, const NPVariant* args, uint32_t argCount, NPVariant* result);
 static bool getMouseUpEventCount(NPObject* npobj, const NPVariant* args, uint32_t argCount, NPVariant* result);
 static bool queryContentsScaleFactor(NPObject* npobj, const NPVariant* args, uint32_t argCount, NPVariant* result);
+static bool echoString(NPObject* npobj, const NPVariant* args, uint32_t argCount, NPVariant* result);

 static const NPUTF8* sPluginMethodIdentifierNames[] = {
  "npnEvaluateTest",
@ -235,7 +236,8 @@ static const NPUTF8* sPluginMethodIdentifierNames[] = {
  "getLastKeyText",
  "getNPNVdocumentOrigin",
  "getMouseUpEventCount",
-  "queryContentsScaleFactor"
+  "queryContentsScaleFactor",
+  "echoString",
 };
 static NPIdentifier sPluginMethodIdentifiers[ARRAY_LENGTH(sPluginMethodIdentifierNames)];
 static const ScriptableFunction sPluginMethodFunctions[] = {
@ -301,7 +303,8 @@ static const ScriptableFunction sPluginMethodFunctions[] = {
  getLastKeyText,
  getNPNVdocumentOrigin,
  getMouseUpEventCount,
-  queryContentsScaleFactor
+  queryContentsScaleFactor,
+  echoString,
 };

 STATIC_ASSERT(ARRAY_LENGTH(sPluginMethodIdentifierNames) ==
@ -3684,3 +3687,26 @@ bool queryContentsScaleFactor(NPObject* npobj, const NPVariant* args, uint32_t a
  DOUBLE_TO_NPVARIANT(scaleFactor, *result);
  return true;
 }
+
+bool echoString(NPObject* npobj, const NPVariant* args, uint32_t argCount, NPVariant* result)
+{
+  if (argCount != 1) {
+    return false;
+  }
+
+  if (!NPVARIANT_IS_STRING(args[0])) {
+    return false;
+  }
+
+  const NPString& arg = NPVARIANT_TO_STRING(args[0]);
+  NPUTF8* buffer = static_cast<NPUTF8*>(NPN_MemAlloc(sizeof(NPUTF8) * arg.UTF8Length));
+  if (!buffer) {
+    return false;
+  }
+
+  std::copy(arg.UTF8Characters, arg.UTF8Characters + arg.UTF8Length, buffer);
+  STRINGN_TO_NPVARIANT(buffer, arg.UTF8Length, *result);
+
+  return true;
+}
+