[Webkit-unassigned] [Bug 20267] Crash on some pages due to a plugin

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 20 13:29:59 PDT 2008 

https://bugs.webkit.org/show_bug.cgi?id=20267


alp at nuanti.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |alp at nuanti.com
             Status|UNCONFIRMED                 |NEW
     Ever Confirmed|0                           |1
           Keywords|                            |Gtk




------- Comment #2 from alp at nuanti.com  2008-08-20 13:29 PDT -------
(In reply to comment #1)
> Created an attachment (id=22892)
 --> (https://bugs.webkit.org/attachment.cgi?id=22892&action=view) [edit]
> Fix handling of badly formatted and empty plugin mime descriptions
> 
> The backtrace looks to be the same crash I encountered with the new Maemo
> release (Diablo), which was due to the Nokia's browser plugin including a
> trailing '; ' in their return value for NP_GetMIMEDescription().
> 
> The GTK+ PluginPackage code first splits by ';', then by ':' and assumes that
> the latter always succeeds to find three elements and thus crashing when
> there's less.
> 
> The patch fixes it to only accept well-formatted (ie. three elements separated
> by ':' for each ';' block) mime descriptions. 
> 

I think this no longer crashes on trunk since String::fromUTF8() was changed to
return a null WebCore string rather than crashing on null input a few days ago.

However, if g_strsplit() returns fewer than 3 elements the code will still be
accessing mimeData[1] and mimeData[2] which may be pointing to uninitialized
memory, so the fix is still a good idea.

The patch will skip over mime descs that have fewer than three elements while
the version in PluginPackageWin looks like it will continue successfully if
there is no description or extension list -- maybe this patch should be
modified to cater for that condition too?


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list