summaryrefslogtreecommitdiffstats
path: root/chrome/plugin/npobject_util.cc
Commit message (Collapse)AuthorAgeFilesLines
* The renderer and plugin processes can send over raw NPObjects valid in the ↵ananta@chromium.org2010-01-201-14/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | other side's address space. Basically the way this works is if an NPObject is marshaled over to the other side, an NPObjectStub is created in the caller address space and a NPObjectProxy is created on the other side. The NPObjectProxy is passed the raw NPObject pointer which is used as a cookie. If the original NPObject needs to be passed back we pass the underlying NPObject saved in the NPObjectProxy. The receiver does not validate whether this NPObject is valid before invoking on it. While this is mostly fine, in the case of a compromised renderer invalid addresses could be passed back to the plugin which would invoke on these addresses and crash. Fix is to never pass raw object pointers across and just pass the corresponding routing id of the NPObjectStub. The receiver validates this object by invoking a new method GetNPObjectListenerForRoute on the PluginChannelBase. This method returns the corresponding NPObject listener for the routing id. We then retrieve the underlying NPObject from the listener and use it. The map of NPObjectListeners which is maintained by PluginChannelBase has been changed to hold NPObjectBase pointers instead. NPObjectStub and NPObjectProxy implement the new NPObjectBase interface which provides methods to return the underlying NPObject and the IPC::Channel::Listener pointer. Fixes bug http://code.google.com/p/chromium/issues/detail?id=31880 I verified with the steps outlined in the bug that this fix does address the underlying crash. Bug=31880 Test=We need a framework to test PluginChannel and NPObjectProxy/Stub. Will add a test case for this once we have this in place. Review URL: http://codereview.chromium.org/548046 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@36618 0039d316-1c4b-4281-b951-d872f2087c98
* If an NP_* function is called on an out of process plugin, save enough info ↵japhet@chromium.org2009-11-181-3/+10
| | | | | | | | to send an NPN_SetException back to the correct renderer if necessary. BUG=26764 TEST=none Review URL: http://codereview.chromium.org/375005 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@32419 0039d316-1c4b-4281-b951-d872f2087c98
* Upstreaming WebKit.gypyaar@chromium.org2009-11-121-1/+1
| | | | | | | | | | | | This mega patch contains a few simple but tightly dependent changes: 1. Deletion of webkit/api/WebKit.gyp. The file now lives in webkit.org. 2. Rename of webkit/webkit.gyp to webkit/webkit_glue.gyp. Having two webkit.gyp was a source of developer confusion. 3. Gyp dependencies are updated across chromium to point at the upstream WebKit.gyp and the renamed webkit_glue.gyp. 4. Some 200+ files include paths fixed to point to third_party/WebKit/WebKit/chromium instead of webkit/api. The later will be deleted in a subsequent patch. Review URL: http://codereview.chromium.org/387020 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@31749 0039d316-1c4b-4281-b951-d872f2087c98
* Get rid of the need for cross process events in order to get plugin ↵jam@chromium.org2009-09-291-4/+4
| | | | | | | | | | processes to run nested message loops when a dialog is shown. Instead use an async message that's broadcast from the renderer to all plugin processes that are connected to it, and which is dispatched on the plugin IO thread to set a process-local waitable event. This fixes showModalDialog on Linux/Mac. BUG=15891 TEST=covered by UI tests, undef's them for POSIX Review URL: http://codereview.chromium.org/242043 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@27456 0039d316-1c4b-4281-b951-d872f2087c98
* Remove all direct calls to NPN_ functions in WebCore. The replacement for ↵jorlow@chromium.org2009-08-111-2/+5
| | | | | | | | | | | | | these is the WebKit::WebBindings API. This will be a 2 sided commit with https://bugs.webkit.org/show_bug.cgi?id=28089 TEST=none BUG=none Review URL: http://codereview.chromium.org/164214 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@23012 0039d316-1c4b-4281-b951-d872f2087c98
* Add the page url to plugin crashes to aid debugging.jam@chromium.org2009-07-081-4/+8
| | | | | | Review URL: http://codereview.chromium.org/155238 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20191 0039d316-1c4b-4281-b951-d872f2087c98
* Revert change 20173 because it breaks the ui_tests, plugin_testsnsylvain@chromium.org2009-07-081-8/+4
| | | | | | | | and most likely some page cyclers. Review URL: http://codereview.chromium.org/155236 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20180 0039d316-1c4b-4281-b951-d872f2087c98
* Add the page url to plugin crashes to aid debugging.jam@chromium.org2009-07-081-4/+8
| | | | | | Review URL: http://codereview.chromium.org/149305 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20173 0039d316-1c4b-4281-b951-d872f2087c98
* linux (and some posix): multiprocess plugins compiling.evan@chromium.org2009-04-231-15/+3
| | | | | | | | | | | | | | | | | | | The goal of this change is to *not* make any behavioral change, but to instead just get all the plugin-related files linking on Linux with a bunch of NOTIMPLEMENTED()s in the appropriate places. It's enormous enough already without any refactorings or new features. Changes include: - Lots of gcc warning fixes. - Use portable replacements for Windows-specific functions (_strdup, etc.). - Use TransportDIB instead of just shared memory in the plugin messaging. Note that this is not fleshed out on Linux and on Windows it just hacks in the existing handles so there should be no functional change. - Fix --plugin-launcher to use cross-platform APIs. Review URL: http://codereview.chromium.org/79020 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@14338 0039d316-1c4b-4281-b951-d872f2087c98
* Port plugin messages.jam@chromium.org2009-04-011-2/+3
| | | | | | Review URL: http://codereview.chromium.org/49050 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@12928 0039d316-1c4b-4281-b951-d872f2087c98
* NO CODE CHANGE.maruel@google.com2009-03-101-9/+15
| | | | | | | Fix files with lines > 80 cols. Part 2. Review URL: http://codereview.chromium.org/40226 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@11326 0039d316-1c4b-4281-b951-d872f2087c98
* Fix build break due to misplaced ifdef.mmoss@chromium.org2009-02-241-1/+2
| | | | | | | Review URL: http://codereview.chromium.org/27075 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@10234 0039d316-1c4b-4281-b951-d872f2087c98
* Fix Linux shared build breakage due to undefined references.mmoss@chromium.org2009-02-231-2/+6
| | | | | | | | | | | | | | | This compiles an empty file so we can generate the libplugin target needed by other targets. This whole file does compile (see r9934), but it doesn't link because of undefined refs to files which aren't compiling yet (e.g. npobject_proxy stuff). But we need some sources to build an empty lib, otherwise scons fails to link in skia (when linking with no source files, the -L flag is left off the linker command, so libs in the build directory can't be found). Review URL: http://codereview.chromium.org/27019 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@10227 0039d316-1c4b-4281-b951-d872f2087c98
* Fix plugin hang that Earth team found.jam@chromium.org2009-02-211-2/+3
| | | | | | | | | Normally an NPObjectProxy uses the modal dialog event to figure out when it needs to pump window messages in an invoke. However, an NPObjectProxy created by an NPObjectStub never got access to this event, which led to this hang. BUG=7793 Review URL: http://codereview.chromium.org/20515 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@10145 0039d316-1c4b-4281-b951-d872f2087c98
* Get something in chrome/plugin/ compiling to make Scons happy.thestig@chromium.org2009-02-181-1/+5
| | | | | | Review URL: http://codereview.chromium.org/20449 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@9934 0039d316-1c4b-4281-b951-d872f2087c98
* WaitableEvent is the replacement for Windows events. Previously in the code, ↵agl@chromium.org2009-01-151-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | a HANDLE from CreateEvent was used for signaling, both within a process and across processes. WaitableEvent is the cross platform replacement for this. To convert: * HANDLE -> base::WaitableEvent* * ScopedHandle -> scoped_ptr<base::WaitableEvent> * CreateEvent -> new base::WaitableEvent * SetEvent -> base::WaitableEvent::Signal * ResetEvent -> base::WaitableEvent::Reset * ObjectWatcher -> base::WaitableEventWatcher * WaitForMultipleObjects -> static base::WaitableEvent::WaitMany ObjectWatcher remains for Windows specific code. WaitableEventWatcher has an identical interface save, * It uses WaitableEvents, not HANDLEs * It returns void from StartWatching and StopWatcher, rather than errors. System internal errors are fatal to the address space IMPORTANT: There are semantic differences between the different platforms. WaitableEvents on Windows are implemented on top of events. Windows events work across process and this is used mostly for modal dialog support. Windows events can be duplicated with DuplicateHandle. On other platforms, WaitableEvent works only within a single process. In the future we shall have to replace the current uses of cross-process events with IPCs. BEWARE: HANDLE, on Windows, is a void *. Since any pointer type coerces to void *, you can pass a WaitableEvent * where a HANDLE is expected without any build-time errors. Review URL: http://codereview.chromium.org/16554 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@8126 0039d316-1c4b-4281-b951-d872f2087c98
* Add a NULL channel check in CreateNPVariantParam as it can be called withananta@chromium.org2008-11-241-9/+15
| | | | | | | | | | | | | a NULL channel during renderer plugin shutdown. Fixes bug http://code.google.com/p/chromium/issues/detail?id=4740 R=jam Bug=4740 Review URL: http://codereview.chromium.org/12609 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@5943 0039d316-1c4b-4281-b951-d872f2087c98
* Use a more compact license header in source files.license.bot2008-08-241-28/+4
| | | | git-svn-id: svn://svn.chromium.org/chrome/trunk/src@1287 0039d316-1c4b-4281-b951-d872f2087c98
* Improve NPRuntime marshalling by adding glue functions for serializing / ↵darin@google.com2008-08-061-16/+5
| | | | | | | | deserializing a NPIdentifier. Also kill some extraneous std::string copies in NPVariant_Param code. If you like I could eliminate NPIdentifier_Param in place of using NPIdentifier directly. git-svn-id: svn://svn.chromium.org/chrome/trunk/src@442 0039d316-1c4b-4281-b951-d872f2087c98
* Add chrome to the repository.initial.commit2008-07-261-0/+275
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@15 0039d316-1c4b-4281-b951-d872f2087c98
generated by cgit v1.1 at 2025-02-12 18:27:06 +0000