From 84415815e15b34b3a507731617f79673eb5d4601 Mon Sep 17 00:00:00 2001 From: "amit@chromium.org" Date: Wed, 19 May 2010 23:12:42 +0000 Subject: Check correct offset to avoid crash This change corrects the offset and the condition to avoid crash in IBrowserService2::v_MayTranslateAccelerator. BUG=25457 Review URL: http://codereview.chromium.org/2109010 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@47744 0039d316-1c4b-4281-b951-d872f2087c98 --- chrome_frame/chrome_frame_activex_base.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'chrome_frame') diff --git a/chrome_frame/chrome_frame_activex_base.h b/chrome_frame/chrome_frame_activex_base.h index de60462..9aa1cc3 100644 --- a/chrome_frame/chrome_frame_activex_base.h +++ b/chrome_frame/chrome_frame_activex_base.h @@ -918,7 +918,7 @@ END_MSG_MAP() // sent to the out of proc chromium instance. // Returns S_OK iff the accelerator was handled by the browser. HRESULT AllowFrameToTranslateAccelerator(const MSG& msg) { - static const int kMayTranslateAcceleratorOffset = 0x170; + static const int kMayTranslateAcceleratorOffset = 0x5c; // Although IBrowserService2 is officially deprecated, it's still alive // and well in IE7 and earlier. We have to use it here to correctly give // the browser a chance to handle keyboard shortcuts. @@ -941,7 +941,8 @@ END_MSG_MAP() // circumstances this vtable is actually used though. if (S_OK == DoQueryService(SID_STopLevelBrowser, m_spInPlaceSite, bs2.Receive()) && bs2.get() && - (bs2 + kMayTranslateAcceleratorOffset)) { + *(reinterpret_cast(bs2.get()) + + kMayTranslateAcceleratorOffset)) { hr = bs2->v_MayTranslateAccelerator(&accel_message); } else { // IE8 doesn't support IBrowserService2 unless you enable a special, -- cgit v1.1