[chromium-bugs] Issue 20651 in chromium: Use-after-free in NPAPI::PluginInstance::NPP_DestroyStream() (free was in NPAPI::PluginInstance::RemoveStream())

Sun, 30 Aug 2009 11:05:38 -0700 

Status: Untriaged
Owner: ----
Labels: Type-Bug Pri-1 OS-All Area-Misc Size-Medium

New issue 20651 by d...@chromium.org: Use-after-free in  
NPAPI::PluginInstance::NPP_DestroyStream() (free was in  
NPAPI::PluginInstance::RemoveStream())
http://code.google.com/p/chromium/issues/detail?id=20651

Seen on the linux valgrind layout bot today:

http://build.chromium.org/buildbot/waterfall/builders/Webkit%20Linux%20(valgrind%20layout)/builds/1496/steps/valgrind%20test:%20layout/logs/stdio

This run included LayoutTests/plugins/destroy-stream-twice.html
which sounds pretty suggestive

Invalid read of size 4
   NPAPI::PluginInstance::NPP_DestroyStream(_NPStream*, short)
(webkit/glue/plugins/plugin_instance.cc:239)
   NPN_DestroyStream (webkit/glue/plugins/plugin_host.cc:557)
   pluginInvoke(NPObject*, void*, _NPVariant const*, unsigned int,
_NPVariant*) (webkit/tools/npapi_layout_test_plugin/PluginObject.cpp:410)
   npObjectInvokeImpl(v8::Arguments const&, InvokeFunctionType)
(third_party/WebKit/WebCore/bindings/v8/V8NPObject.cpp:101)
   npObjectMethodHandler(v8::Arguments const&)
(third_party/WebKit/WebCore/bindings/v8/V8NPObject.cpp:129)
   v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**)
(v8/src/builtins.cc:395)
Suppression:
   fun:_ZN5NPAPI14PluginInstance17NPP_DestroyStreamEP9_NPStreams
   fun:NPN_DestroyStream
   fun:_Z12pluginInvokeP8NPObjectPvPK10_NPVariantjPS2_
   fun:_Z18npObjectInvokeImplRKN2v89ArgumentsE18InvokeFunctionType
   fun:_Z21npObjectMethodHandlerRKN2v89ArgumentsE
   fun:_ZN2v88internal21Builtin_HandleApiCallEiPPNS0_6ObjectE
Address 0x5137acc is 12 bytes inside a block of size 172 free'd
   operator delete(void*)
(ome/chrome-bot/valgrind-20090715/coregrind/m_replacemalloc/vg_replace_malloc.c:345)
   NPAPI::PluginStreamUrl::~PluginStreamUrl()
(webkit/glue/plugins/plugin_stream_url.cc:29)
   std::vector<scoped_refptr<NPAPI::PluginStream>,
std::allocator<scoped_refptr<NPAPI::PluginStream> >
> ::erase(__gnu_cxx::__normal_iterator<scoped_refptr<NPAPI::PluginStream>*,
std::vector<scoped_refptr<NPAPI::PluginStream>,
std::allocator<scoped_refptr<NPAPI::PluginStream> > > >)
(base/ref_counted.h:80)
   NPAPI::PluginInstance::RemoveStream(NPAPI::PluginStream*)
(webkit/glue/plugins/plugin_instance.cc:92)
   NPAPI::PluginStreamUrl::Close(short)
(webkit/glue/plugins/plugin_stream_url.cc:34)
   NPAPI::PluginStreamUrl::DidFinishLoading()
(webkit/glue/plugins/plugin_stream_url.cc:76)
   WebPluginImpl::didFinishLoading(WebKit::WebURLLoader*)
(webkit/glue/webplugin_impl.cc:779)

--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

--~--~---------~--~----~------------~-------~--~----~
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
-~----------~----~----~----~------~----~------~--~---

Reply via email to