diff options
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | plugin/icedteanp/IcedTeaNPPlugin.cc | 7 |
3 files changed, 16 insertions, 2 deletions
@@ -1,3 +1,10 @@ +2012-08-07 Adam Domurad <[email protected]> + + Fixes PR1106, plugin crashing with firefox + archlinux/gentoo + * plugin/icedteanp/IcedTeaNPPlugin.cc + (initialize_browser_functions): Account for the fact that + browserTable->size can be larger than sizeof(NPNetscapeFuncs) + 2012-08-01 Saad Mohammad <[email protected]> Fix PR1049: Extension jnlp's signed jar with the content of only META-INF/* @@ -12,8 +12,10 @@ New in release 1.4 (2012-XX-XX): * Security updates - CVE-2012-3422, RH840592: Potential read from an uninitialized memory location - CVE-2012-3423, RH841345: Incorrect handling of not 0-terminated strings +* Plugin + - PR1106: Buffer overflow in plugin table- * Common - - PR1049: Extension jnlp's signed jar with the content of only META-INF/* is considered unsigned + - PR1049: Extension jnlp's signed jar with the content of only META-INF/* is considered New in release 1.3 (2012-XX-XX): * NetX diff --git a/plugin/icedteanp/IcedTeaNPPlugin.cc b/plugin/icedteanp/IcedTeaNPPlugin.cc index d8b8948..1012812 100644 --- a/plugin/icedteanp/IcedTeaNPPlugin.cc +++ b/plugin/icedteanp/IcedTeaNPPlugin.cc @@ -2043,8 +2043,13 @@ initialize_browser_functions(const NPNetscapeFuncs* browserTable) //Ensure any unused fields are NULL memset(&browser_functions, 0, sizeof(NPNetscapeFuncs)); + + //browserTable->size can be larger than sizeof(NPNetscapeFuncs) (PR1106) + size_t copySize = browserTable->size < sizeof(NPNetscapeFuncs) ? + browserTable->size : sizeof(NPNetscapeFuncs); + //Copy fields according to given size - memcpy(&browser_functions, browserTable, browserTable->size); + memcpy(&browser_functions, browserTable, copySize); return true; } |