diff options
| author | jschuh@chromium.org <jschuh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-06-11 02:54:51 +0000 |
|---|---|---|
| committer | jschuh@chromium.org <jschuh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-06-11 02:54:51 +0000 |
| commit | 89f5fbb75f989d12dffeffa1ca0a7bb40c603706 (patch) | |
| tree | d45f47a42af530491c6634a45ea97f3be320e761 /content/plugin | |
| parent | bdf652c4c18e00accc8f478ee2787ad09e6e424c (diff) | |
| download | chromium_src-89f5fbb75f989d12dffeffa1ca0a7bb40c603706.zip chromium_src-89f5fbb75f989d12dffeffa1ca0a7bb40c603706.tar.gz chromium_src-89f5fbb75f989d12dffeffa1ca0a7bb40c603706.tar.bz2 | |
Prevent OOB read from plugin calls returning strings with embedded NUL characters. Duplicates this Pepper fix: http://src.chromium.org/viewvc/chrome?view=rev&revision=82172
BUG=77493
Review URL: http://codereview.chromium.org/7099006
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@88758 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'content/plugin')
| -rw-r--r-- | content/plugin/npobject_util.cc | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/content/plugin/npobject_util.cc b/content/plugin/npobject_util.cc index 0afd875..5d070a7 100644 --- a/content/plugin/npobject_util.cc +++ b/content/plugin/npobject_util.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2010 The Chromium Authors. All rights reserved. +// Copyright (c) 2011 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -242,13 +242,15 @@ bool CreateNPVariant(const NPVariant_Param& param, result->type = NPVariantType_Double; result->value.doubleValue = param.double_value; break; - case NPVARIANT_PARAM_STRING: + case NPVARIANT_PARAM_STRING: { result->type = NPVariantType_String; - result->value.stringValue.UTF8Characters = - static_cast<NPUTF8 *>(base::strdup(param.string_value.c_str())); - result->value.stringValue.UTF8Length = - static_cast<int>(param.string_value.size()); + void* buffer = malloc(param.string_value.size()); + size_t size = param.string_value.size(); + result->value.stringValue.UTF8Characters = static_cast<NPUTF8*>(buffer); + memcpy(buffer, param.string_value.c_str(), size); + result->value.stringValue.UTF8Length = static_cast<int>(size); break; + } case NPVARIANT_PARAM_SENDER_OBJECT_ROUTING_ID: result->type = NPVariantType_Object; object = channel->GetExistingNPObjectProxy(param.npobject_routing_id); |