Be more thorough checking for NULL NPP values

Unlike the other entry points, NPN_GetValue and NPN_SetValue don't check
for NULL npp values. nspluginwrapper will happily call functions with
NULL npp if the instances have been destroyed in the meantime. (And the
patch for #53940 will make this happen more often to avoid a plugin-side
crash.)

NOTE: This does not fix #53940, but the fix for it in nspluginwrapper reveals
some missing checks on our end.

BUG=53940
TEST=none

Review URL: http://codereview.chromium.org/6722021

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@79498 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 25 insertions, 1 deletions

diff --git a/webkit/plugins/npapi/plugin_host.cc b/webkit/plugins/npapi/plugin_host.cc
index 9aed03b..5fd6492 100644
--- a/webkit/plugins/npapi/plugin_host.cc
+++ b/webkit/plugins/npapi/plugin_host.cc
@@ -693,6 +693,10 @@ NPError NPN_GetValue(NPP id, NPNVariable variable, void* value) {
   switch (static_cast<int>(variable)) {
     case NPNVWindowNPObject: {
       scoped_refptr<PluginInstance> plugin(FindInstance(id));
+      if (!plugin.get()) {
+        NOTREACHED();
+        return NPERR_INVALID_INSTANCE_ERROR;
+      }
       NPObject *np_object = plugin->webplugin()->GetWindowScriptNPObject();
       // Return value is expected to be retained, as
       // described here:
@@ -709,6 +713,10 @@ NPError NPN_GetValue(NPP id, NPNVariable variable, void* value) {
     }
     case NPNVPluginElementNPObject: {
       scoped_refptr<PluginInstance> plugin(FindInstance(id));
+      if (!plugin.get()) {
+        NOTREACHED();
+        return NPERR_INVALID_INSTANCE_ERROR;
+      }
       NPObject *np_object = plugin->webplugin()->GetPluginElement();
       // Return value is expected to be retained, as
       // described here:
@@ -728,7 +736,7 @@ NPError NPN_GetValue(NPP id, NPNVariable variable, void* value) {
       scoped_refptr<PluginInstance> plugin = FindInstance(id);
       if (!plugin.get()) {
         NOTREACHED();
-        return NPERR_GENERIC_ERROR;
+        return NPERR_INVALID_INSTANCE_ERROR;
       }
       gfx::PluginWindowHandle handle = plugin->window_handle();
       *((void**)value) = (void*)handle;
@@ -763,6 +771,10 @@ NPError NPN_GetValue(NPP id, NPNVariable variable, void* value) {
     case NPNVprivateModeBool: {
       NPBool* private_mode = reinterpret_cast<NPBool*>(value);
       scoped_refptr<PluginInstance> plugin(FindInstance(id));
+      if (!plugin.get()) {
+        NOTREACHED();
+        return NPERR_INVALID_INSTANCE_ERROR;
+      }
       *private_mode = plugin->webplugin()->IsOffTheRecord();
       rv = NPERR_NO_ERROR;
       break;
@@ -778,6 +790,10 @@ NPError NPN_GetValue(NPP id, NPNVariable variable, void* value) {
       // with the variable definition, in order to avoid duplicate case clauses
       // in this big switch statement.
       scoped_refptr<PluginInstance> plugin(FindInstance(id));
+      if (!plugin.get()) {
+        NOTREACHED();
+        return NPERR_INVALID_INSTANCE_ERROR;
+      }
       if (plugin->plugin_lib()->plugin_info().path.value() ==
             webkit::npapi::kDefaultPluginLibraryName) {
         plugin->webplugin()->OnMissingPluginStatus(variable -
@@ -789,6 +805,10 @@ NPError NPN_GetValue(NPP id, NPNVariable variable, void* value) {
     case NPNVpluginDrawingModel: {
       // return the drawing model that was negotiated when we initialized.
       scoped_refptr<PluginInstance> plugin(FindInstance(id));
+      if (!plugin.get()) {
+        NOTREACHED();
+        return NPERR_INVALID_INSTANCE_ERROR;
+      }
       *reinterpret_cast<int*>(value) = plugin->drawing_model();
       rv = NPERR_NO_ERROR;
       break;
@@ -869,6 +889,10 @@ NPError NPN_SetValue(NPP id, NPPVariable variable, void* value) {
   // Allows the plugin to set various modes
 
   scoped_refptr<PluginInstance> plugin(FindInstance(id));
+  if (!plugin.get()) {
+    NOTREACHED();
+    return NPERR_INVALID_INSTANCE_ERROR;
+  }
   switch(variable) {
     case NPPVpluginWindowBool: {
       // Sets windowless mode for display of the plugin