Check correct offset to avoid crash

This change corrects the offset and the condition to avoid crash in
IBrowserService2::v_MayTranslateAccelerator. 

BUG=25457


Review URL: http://codereview.chromium.org/2109010

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@47744 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 3 insertions, 2 deletions

diff --git a/chrome_frame/chrome_frame_activex_base.h b/chrome_frame/chrome_frame_activex_base.h
index de60462..9aa1cc3 100644
--- a/chrome_frame/chrome_frame_activex_base.h
+++ b/chrome_frame/chrome_frame_activex_base.h
@@ -918,7 +918,7 @@ END_MSG_MAP()
   // sent to the out of proc chromium instance.
   // Returns S_OK iff the accelerator was handled by the browser.
   HRESULT AllowFrameToTranslateAccelerator(const MSG& msg) {
-    static const int kMayTranslateAcceleratorOffset = 0x170;
+    static const int kMayTranslateAcceleratorOffset = 0x5c;
     // Although IBrowserService2 is officially deprecated, it's still alive
     // and well in IE7 and earlier.  We have to use it here to correctly give
     // the browser a chance to handle keyboard shortcuts.
@@ -941,7 +941,8 @@ END_MSG_MAP()
     // circumstances this vtable is actually used though.
     if (S_OK == DoQueryService(SID_STopLevelBrowser, m_spInPlaceSite,
                                bs2.Receive()) && bs2.get() &&
-                               (bs2 + kMayTranslateAcceleratorOffset)) {
+                               *(reinterpret_cast<long*>(bs2.get()) +
+                                   kMayTranslateAcceleratorOffset)) {
       hr = bs2->v_MayTranslateAccelerator(&accel_message);
     } else {
       // IE8 doesn't support IBrowserService2 unless you enable a special,