| Issue 42: | unhandled exception occurs on line 584 of npapi_plugin/srpc/srpc_client.cc in the function MarshallInput() | |
| 3 people starred this issue and may be notified of changes. | Back to list |
Sign in to add a comment
|
Team CJETM Affected OS: OSX, Linux, Windows Affected Browser: Firefox ****************************** By supplying a negative integer to the getmsg() method an unhandled exception occurs on line 584 of npapi_plugin/srpc/srpc_client.cc in the function MarshallInput(). The negative value is passed to the 'new' operator where it is cast as unsigned and wraps to a large number that malloc cannot allocate. In our POC the C++ runtime throws an exception and firefox exits. Please see attached Tar for Code and more Details.
|
|||||||||||||||
,
Mar 03, 2009
Verified as an issue.
Status: Accepted
|
||||||||||||||||
,
Mar 03, 2009
attached is a better copy of the readme in ASCII
|
||||||||||||||||
,
Mar 03, 2009
After some thought and conversation with a friend (captain planet), if outputs[i]->tag is type NACL_SRPC_ARG_TYPE_INT_ARRAY this issue may be exploitable given the value 1073741824. - Team CJETM |
||||||||||||||||
,
Mar 04, 2009
(No comment was entered for this change.)
Owner: nativeclient.admin
Cc: bradc...@google.com s...@google.com |
||||||||||||||||
,
Mar 12, 2009
(No comment was entered for this change.)
Owner: s...@google.com
Labels: Type-Defect |
||||||||||||||||
,
Apr 10, 2009
Fix was released in release 57.
Status: Fixed
|
||||||||||||||||
 Sign in to add a comment
|
||||||||||||||||
