Crash when passing Symbol to NPAPI plugin objects
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 9 Jun 2015 18:31:02 +0000 (18:31 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 9 Jun 2015 18:31:02 +0000 (18:31 +0000)
commit9c349f134af36acc5956ae2b39cf66d234a61135
tree10cf8f94525396786f5abf1734e0d827f46dbbf1
parentaa21312c57d809589f73699f388939bdea9c8d1f
Crash when passing Symbol to NPAPI plugin objects
https://bugs.webkit.org/show_bug.cgi?id=145798

Reviewed by Darin Adler.

Source/WebCore:

Test: plugins/npruntime/script-object-with-symbols.html

For C bridge APIs, we add guards for symbols.
This is the same to the existing guards in Objective-C APIs.

* bridge/c/c_class.cpp:
(JSC::Bindings::CClass::methodNamed):
(JSC::Bindings::CClass::fieldNamed):
* bridge/objc/objc_class.mm:
(JSC::Bindings::ObjcClass::methodNamed):
(JSC::Bindings::ObjcClass::fieldNamed):
(JSC::Bindings::ObjcClass::fallbackObject):

Source/WebKit2:

When the symbol is passed, `propertyName.publicName()` becomes nullptr.
So dereferencing it causes null dereference errors.
At first, this bug appears in the https://bugs.webkit.org/show_bug.cgi?id=145556,
plugin[@@toStringTag] ("string" + plugin) causes SEGV in plugins/embed-inside-object.html test.

This patch avoids it by early returning when the symbols are passed.
Methods for symbols are not implemented in the NPObject side, so it works correctly.

* WebProcess/Plugins/Netscape/JSNPObject.cpp:
(WebKit::npIdentifierFromIdentifier):
(WebKit::JSNPObject::callMethod):
(WebKit::JSNPObject::getOwnPropertySlot):
(WebKit::JSNPObject::put):
(WebKit::JSNPObject::deleteProperty):
(WebKit::JSNPObject::propertyGetter):
(WebKit::JSNPObject::methodGetter):

LayoutTests:

* plugins/npruntime/script-object-with-symbols-expected.txt: Added.
* plugins/npruntime/script-object-with-symbols.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@185369 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/plugins/npruntime/script-object-with-symbols-expected.txt [new file with mode: 0644]
LayoutTests/plugins/npruntime/script-object-with-symbols.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/bridge/c/c_class.cpp
Source/WebCore/bridge/objc/objc_class.mm
Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp