[chromium-bugs] Issue 20651 in chromium: Use-after-free in NPAPI::PluginInstance::NPP_DestroyStream() (free was in NPAPI::PluginInstance::RemoveStream())

codesite-noreply Fri, 04 Sep 2009 08:17:44 -0700

Updates:
        Status: Available
        Owner: ---
        Cc: da...@chromium.org j...@chromium.org


Comment #4 on issue 20651 by yusu...@chromium.org: Use-after-free in  
NPAPI::PluginInstance::NPP_DestroyStream() (free was in  
NPAPI::PluginInstance::RemoveStream())
http://code.google.com/p/chromium/issues/detail?id=20651

> Seen again today:
yeah, I know, since I'm on the sheriff duty today. I've investigated this  
issue a little.

The object in question (PluginStreamUrl object) is created by  
WebPluginDelegateImpl:

(gdb) bt
#0  NPAPI::PluginInstance::AddStream (this=0xf4a6d9d8, stream=0xf4a14070)  
at  
/usr/local/google/home/yusukes/chromium_rw2/src/webkit/glue/plugins/plugin_instance.cc:83
#1  0x09c79378 in NPAPI::PluginInstance::CreateStream (this=0xf4a6d9d8,  
resource_id=1, u...@0xffffc57c, mime_ty...@0xffffc528, notify_needed=false,  
notify_data=0x0) at  
/usr/local/google/home/yusukes/chromium_rw2/src/webkit/glue/pl\
ugins/plugin_instance.cc:76
#2  0x09c2c78d in WebPluginDelegateImpl::CreateResourceClient  
(this=0xf4a6db08, resource_id=1, u...@0xffffc57c, notify_needed=false,  
notify_data=0, existing_stream=0) at  
/usr/local/google/home/yusukes/chromium_rw2/src/webkit/glue/\
plugins/webplugin_delegate_impl.cc:227
#3  0x09c5e8dd in webkit_glue::WebPluginImpl::HandleURLRequestInternal  
(this=0xf4a6b400, method=0xab64525 "GET", is_javascript_url=false,  
target=0x0, len=0, buf=0x0, is_file_data=false, notify=false,  
url=0xf4a6cea4 "data:text/plai\
n,", notify_data=0, popups_allowed=false, use_plugin_src_as_referrer=false)  
at  
/usr/local/google/home/yusukes/chromium_rw2/src/webkit/glue/webplugin_impl.cc:864
#4  0x09c5ea5f in webkit_glue::WebPluginImpl::OnDownloadPluginSrcUrl  
(this=0xf4a6b400) at  
/usr/local/google/home/yusukes/chromium_rw2/src/webkit/glue/webplugin_impl.cc:627

When the AddStream function (#0) returns, the reference count of the object  
is 1 (PluginInstance::open_streams_ holds the ref). And the  
WebPluginImpl::HandleURLRequestInternal function use the object _without_  
increasing the reference counter.

In the destroy-stream-twice.html LayoutTest, PluginInstance::RemoveStream()  
is called shortly, while the WebPluginImpl is using the object. Since the  
ref count is 1, the object is deleted at this point.

I'm not sure but probably the WebPluginImpl should have  
a 'vector<scoped_refptr<PluginStreamUrl> > open_streams_' member variable  
as well so that objects in use will never be deleted??

Can someone who is familiar with this area own this?


--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings

--~--~---------~--~----~------------~-------~--~----~
Automated mail from issue updates at http://crbug.com/
Subscription options: http://groups.google.com/group/chromium-bugs
-~----------~----~----~----~------~----~------~--~---

[chromium-bugs] Issue 20651 in chromium: Use-after-free in NPAPI::PluginInstance::NPP_DestroyStream() (free was in NPAPI::PluginInstance::RemoveStream())

Reply via email to