[gnome-shell/gnome-3-22] browser-plugin: The NPObject returned by NPP_GetValue should be retained

From: Carlos Garcia Campos <carlosgc src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-shell/gnome-3-22] browser-plugin: The NPObject returned by NPP_GetValue should be retained
Date: Sat, 29 Oct 2016 07:13:30 +0000 (UTC)

commit 6ed0c16dd0b4eaa574c7e8f2d8a60356e2d6131c
Author: Carlos Garcia Campos <cgarcia igalia com>
Date:   Fri Oct 28 15:33:11 2016 +0200

    browser-plugin: The NPObject returned by NPP_GetValue should be retained
    
    The Mozilla documentation says: "And as always when working with
    reference counted NPObjects, the caller is responsible for calling
    NPN_ReleaseObject on the NPObject to drop the reference."
    
    Browsers assume that the plugin does the right thing and always call
    NPN_ReleaseObject. At some point the object is released and deallocated
    and both the plugin and browser still have references to the object
    thinking that it's still alive. That's why the crash is sometimes in the
    plugin when it tries to use the np object, and sometimes in the browser.
    
    https://bugzilla.gnome.org/post_bug.cgi

 browser-plugin/browser-plugin.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)
---
diff --git a/browser-plugin/browser-plugin.c b/browser-plugin/browser-plugin.c
index 4555a96..35e1596 100644
--- a/browser-plugin/browser-plugin.c
+++ b/browser-plugin/browser-plugin.c
@@ -1029,6 +1029,7 @@ NPP_GetValue(NPP          instance,
     if (!instance->pdata)
       return NPERR_INVALID_INSTANCE_ERROR;
 
+    funcs.retainobject (instance->pdata);
     *(NPObject**)value = instance->pdata;
     break;

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]