diff -Nru icedtea-web-1.2/debian/changelog icedtea-web-1.2/debian/changelog --- icedtea-web-1.2/debian/changelog 2012-04-09 07:44:50.000000000 -0700 +++ icedtea-web-1.2/debian/changelog 2012-08-03 21:11:20.000000000 -0700 @@ -1,3 +1,19 @@ +icedtea-web (1.2-2ubuntu2) quantal; urgency=low + + * SECURITY UPDATE: uninitialized pointer use flaw + - debian/patches/icedtea-web-CVE-2012-3422.patch: check for empty + instance_to_id_map hash and return error if so. + - CVE-2012-3422 + * SECURITY UPDATE: incorrect handling of non NULL terminated strings + - debian/patches/icedtea-web-CVE-2012-3423.patch: ensure NPVariant + NPStrings are NULL terminated. + - CVE-2012-3423 + * debian/patches/fix-plugin-error-on-chromium.patch: fix plugin + table initialization to check only that the subset of hooks that + it uses exists. (LP: #1025553) + + -- Steve Beattie Fri, 03 Aug 2012 21:10:50 -0700 + icedtea-web (1.2-2ubuntu1) precise; urgency=low * Regenerate the control file. diff -Nru icedtea-web-1.2/debian/control icedtea-web-1.2/debian/control --- icedtea-web-1.2/debian/control 2012-03-08 17:09:33.000000000 -0800 +++ icedtea-web-1.2/debian/control 2012-08-03 21:11:38.000000000 -0700 @@ -1,7 +1,8 @@ Source: icedtea-web Section: java Priority: extra -Maintainer: OpenJDK Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: OpenJDK Team Uploaders: Matthias Klose , Damien Raude-Morvan Build-Depends: debhelper (>= 5), firefox-dev, openjdk-6-jdk (>= 6b23~pre10~), zip, lsb-release, libgtk2.0-dev, pkg-config, default-jre-headless Standards-Version: 3.9.3 diff -Nru icedtea-web-1.2/debian/control.in icedtea-web-1.2/debian/control.in --- icedtea-web-1.2/debian/control.in 2012-03-08 16:14:41.000000000 -0800 +++ icedtea-web-1.2/debian/control.in 2012-08-03 21:11:38.000000000 -0700 @@ -1,7 +1,8 @@ Source: icedtea-web Section: java Priority: extra -Maintainer: OpenJDK Team +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: OpenJDK Team Uploaders: Matthias Klose , Damien Raude-Morvan Build-Depends: debhelper (>= 5), @bd_plugin@ openjdk-6-jdk (>= 6b23~pre10~), zip, lsb-release, libgtk2.0-dev, pkg-config, default-jre-headless Standards-Version: 3.9.3 diff -Nru icedtea-web-1.2/debian/patches/fix-plugin-error-on-chromium.patch icedtea-web-1.2/debian/patches/fix-plugin-error-on-chromium.patch --- icedtea-web-1.2/debian/patches/fix-plugin-error-on-chromium.patch 1969-12-31 16:00:00.000000000 -0800 +++ icedtea-web-1.2/debian/patches/fix-plugin-error-on-chromium.patch 2012-08-03 21:10:01.000000000 -0700 @@ -0,0 +1,246 @@ +Origin: http://icedtea.classpath.org/hg/release/icedtea-web-1.2/rev/a49edd57b1b3 +Subject: only check if the minimal subset of the plugin table + icedtea-web uses exists +Bug: http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1073 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/icedtea-web/+bug/1025553 + +# HG changeset patch +# User Adam Domurad +# Date 1340899207 14400 +# Node ID a49edd57b1b332b431222b1c225189fe51676193 +# Parent d65bd94e0ba9b7c8b9051c7d471b55c2c74ea3f4 +Fixes invalid plugin table error that sometimes occurs. +The invalid plugin table error was happening when the API that was +being compiled with had a larger size than that of the browser. +The plugin now only checks if the minimal subset it uses exists. + +2012-06-28 Adam Domurad + + Allow passing of plugin tables and browser tables in NP_Initialize that + are not the expected length but still large enough for our purposes. + * plugin/icedteanp/IcedTeaNPPlugin.cc + (initialize_browser_functions): New function to check size of passed + browser function table, and initialize 'browser_functions' global + variable. + (initialize_plugin_table): New function to check size of passed + plugin function table, and initialize proper plugin callbacks. + (NP_Initialize): Make use of initialization helper functions, get + rid of old size tests and error if the helper functions fail. + +diff -r d65bd94e0ba9 -r a49edd57b1b3 plugin/icedteanp/IcedTeaNPPlugin.cc +--- a/plugin/icedteanp/IcedTeaNPPlugin.cc Fri Jun 08 13:44:25 2012 -0400 ++++ b/plugin/icedteanp/IcedTeaNPPlugin.cc Thu Jun 28 12:00:07 2012 -0400 +@@ -2022,105 +2022,48 @@ + PLUGIN_DEBUG ("plugin_data_destroy return\n"); + } + +-// FACTORY FUNCTIONS +- +-// Provides the browser with pointers to the plugin functions that we +-// implement and initializes a local table with browser functions that +-// we may wish to call. Called once, after browser startup and before +-// the first plugin instance is created. +-// The field 'initialized' is set to true once this function has +-// finished. If 'initialized' is already true at the beginning of +-// this function, then it is evident that NP_Initialize has already +-// been called. There is no need to call this function more than once and +-// this workaround avoids any duplicate calls. +-NPError +-NP_Initialize (NPNetscapeFuncs* browserTable, NPPluginFuncs* pluginTable) ++static bool ++initialize_browser_functions(const NPNetscapeFuncs* browserTable) + { +- PLUGIN_DEBUG ("NP_Initialize\n"); +- +- if ((browserTable == NULL) || (pluginTable == NULL)) ++#if MOZILLA_VERSION_COLLAPSED < 1090100 ++#define NPNETSCAPEFUNCS_LAST_FIELD_USED (browserTable->pluginthreadasynccall) ++#else ++#define NPNETSCAPEFUNCS_LAST_FIELD_USED (browserTable->setvalueforurl) ++#endif ++ ++ //Determine the size in bytes, as a difference of the address past the last used field ++ //And the browser table address ++ size_t usedSize = (char*)(1 + &NPNETSCAPEFUNCS_LAST_FIELD_USED) - (char*)browserTable; ++ ++ // compare the reported size versus the size we required ++ if (browserTable->size < usedSize) + { +- PLUGIN_ERROR ("Browser or plugin function table is NULL."); +- +- return NPERR_INVALID_FUNCTABLE_ERROR; ++ return false; + } + +- // Ensure that the major version of the plugin API that the browser +- // expects is not more recent than the major version of the API that +- // we've implemented. +- if ((browserTable->version >> 8) > NP_VERSION_MAJOR) +- { +- PLUGIN_ERROR ("Incompatible version."); +- +- return NPERR_INCOMPATIBLE_VERSION_ERROR; +- } +- +- // Ensure that the plugin function table we've received is large +- // enough to store the number of functions that we may provide. +- if (pluginTable->size < sizeof (NPPluginFuncs)) +- { +- PLUGIN_ERROR ("Invalid plugin function table."); +- +- return NPERR_INVALID_FUNCTABLE_ERROR; +- } +- +- // Ensure that the browser function table is large enough to store +- // the number of browser functions that we may use. +- if (browserTable->size < sizeof (NPNetscapeFuncs)) +- { +- fprintf (stderr, "ERROR: Invalid browser function table. Some functionality may be restricted.\n"); +- } +- +- // Store in a local table the browser functions that we may use. +- browser_functions.size = browserTable->size; +- browser_functions.version = browserTable->version; +- browser_functions.geturlnotify = browserTable->geturlnotify; +- browser_functions.geturl = browserTable->geturl; +- browser_functions.posturlnotify = browserTable->posturlnotify; +- browser_functions.posturl = browserTable->posturl; +- browser_functions.requestread = browserTable->requestread; +- browser_functions.newstream = browserTable->newstream; +- browser_functions.write = browserTable->write; +- browser_functions.destroystream = browserTable->destroystream; +- browser_functions.status = browserTable->status; +- browser_functions.uagent = browserTable->uagent; +- browser_functions.memalloc = browserTable->memalloc; +- browser_functions.memfree = browserTable->memfree; +- browser_functions.memflush = browserTable->memflush; +- browser_functions.reloadplugins = browserTable->reloadplugins; +- browser_functions.getJavaEnv = browserTable->getJavaEnv; +- browser_functions.getJavaPeer = browserTable->getJavaPeer; +- browser_functions.getvalue = browserTable->getvalue; +- browser_functions.setvalue = browserTable->setvalue; +- browser_functions.invalidaterect = browserTable->invalidaterect; +- browser_functions.invalidateregion = browserTable->invalidateregion; +- browser_functions.forceredraw = browserTable->forceredraw; +- browser_functions.getstringidentifier = browserTable->getstringidentifier; +- browser_functions.getstringidentifiers = browserTable->getstringidentifiers; +- browser_functions.getintidentifier = browserTable->getintidentifier; +- browser_functions.identifierisstring = browserTable->identifierisstring; +- browser_functions.utf8fromidentifier = browserTable->utf8fromidentifier; +- browser_functions.intfromidentifier = browserTable->intfromidentifier; +- browser_functions.createobject = browserTable->createobject; +- browser_functions.retainobject = browserTable->retainobject; +- browser_functions.releaseobject = browserTable->releaseobject; +- browser_functions.invoke = browserTable->invoke; +- browser_functions.invokeDefault = browserTable->invokeDefault; +- browser_functions.evaluate = browserTable->evaluate; +- browser_functions.getproperty = browserTable->getproperty; +- browser_functions.setproperty = browserTable->setproperty; +- browser_functions.removeproperty = browserTable->removeproperty; +- browser_functions.hasproperty = browserTable->hasproperty; +- browser_functions.hasmethod = browserTable->hasmethod; +- browser_functions.releasevariantvalue = browserTable->releasevariantvalue; +- browser_functions.setexception = browserTable->setexception; +- browser_functions.pluginthreadasynccall = browserTable->pluginthreadasynccall; +-#if MOZILLA_VERSION_COLLAPSED >= 1090100 +- browser_functions.getvalueforurl = browserTable->getvalueforurl; +- browser_functions.setvalueforurl = browserTable->setvalueforurl; +-#endif +- +- // Return to the browser the plugin functions that we implement. ++ //Ensure any unused fields are NULL ++ memset(&browser_functions, 0, sizeof(NPNetscapeFuncs)); ++ //Copy fields according to given size ++ memcpy(&browser_functions, browserTable, browserTable->size); ++ ++ return true; ++} ++ ++/* Set the plugin table to the correct contents, taking care not to write past ++ * the provided object space */ ++static bool ++initialize_plugin_table(NPPluginFuncs* pluginTable) ++{ ++#define NPPLUGINFUNCS_LAST_FIELD_USED (pluginTable->getvalue) ++ ++ //Determine the size in bytes, as a difference of the address past the last used field ++ //And the browser table address ++ size_t usedSize = (char*)(1 + &NPPLUGINFUNCS_LAST_FIELD_USED) - (char*)pluginTable; ++ ++ // compare the reported size versus the size we required ++ if (pluginTable->size < usedSize) ++ return false; ++ + pluginTable->version = (NP_VERSION_MAJOR << 8) + NP_VERSION_MINOR; + pluginTable->size = sizeof (NPPluginFuncs); + +@@ -2150,6 +2093,68 @@ + pluginTable->getvalue = NPP_GetValueProcPtr (ITNP_GetValue); + #endif + ++ return true; ++} ++ ++// FACTORY FUNCTIONS ++ ++// Provides the browser with pointers to the plugin functions that we ++// implement and initializes a local table with browser functions that ++// we may wish to call. Called once, after browser startup and before ++// the first plugin instance is created. ++// The field 'initialized' is set to true once this function has ++// finished. If 'initialized' is already true at the beginning of ++// this function, then it is evident that NP_Initialize has already ++// been called. There is no need to call this function more than once and ++// this workaround avoids any duplicate calls. ++NPError ++NP_Initialize (NPNetscapeFuncs* browserTable, NPPluginFuncs* pluginTable) ++{ ++ PLUGIN_DEBUG ("NP_Initialize\n"); ++ ++ if ((browserTable == NULL) || (pluginTable == NULL)) ++ { ++ PLUGIN_ERROR ("Browser or plugin function table is NULL."); ++ ++ return NPERR_INVALID_FUNCTABLE_ERROR; ++ } ++ ++ // Ensure that the major version of the plugin API that the browser ++ // expects is not more recent than the major version of the API that ++ // we've implemented. ++ if ((browserTable->version >> 8) > NP_VERSION_MAJOR) ++ { ++ PLUGIN_ERROR ("Incompatible version."); ++ ++ return NPERR_INCOMPATIBLE_VERSION_ERROR; ++ } ++ ++ // Copy into a global table (browser_functions) the browser functions that we may use. ++ // If the browser functions needed change, update NPNETSCAPEFUNCS_LAST_FIELD_USED ++ // within this function ++ bool browser_functions_supported = initialize_browser_functions(browserTable); ++ ++ // Check if everything we rely on is supported ++ if ( !browser_functions_supported ) ++ { ++ PLUGIN_ERROR ("Invalid browser function table."); ++ ++ return NPERR_INVALID_FUNCTABLE_ERROR; ++ } ++ ++ // Return to the browser the plugin functions that we implement. ++ // If the plugin functions needed change, update NPPLUGINFUNCS_LAST_FIELD_USED ++ // within this function ++ bool plugin_functions_supported = initialize_plugin_table(pluginTable); ++ ++ // Check if everything we rely on is supported ++ if ( !plugin_functions_supported ) ++ { ++ PLUGIN_ERROR ("Invalid plugin function table."); ++ ++ return NPERR_INVALID_FUNCTABLE_ERROR; ++ } ++ + // Re-setting the above tables multiple times is OK (as the + // browser may change its function locations). However + // anything beyond this point should only run once. + diff -Nru icedtea-web-1.2/debian/patches/icedtea-web-CVE-2012-3422.patch icedtea-web-1.2/debian/patches/icedtea-web-CVE-2012-3422.patch --- icedtea-web-1.2/debian/patches/icedtea-web-CVE-2012-3422.patch 1969-12-31 16:00:00.000000000 -0800 +++ icedtea-web-1.2/debian/patches/icedtea-web-CVE-2012-3422.patch 2012-08-03 21:09:41.000000000 -0700 @@ -0,0 +1,44 @@ +Origin: upstream +Subject: getvalueforurl uninitialized instance pointer + +An uninitialized pointer use flaw was found in IcedTea-Web web +browser plugin. A malicious web page could use this flaw make +IcedTea-Web browser plugin pass invalid pointer to a web browser. +Depending on the browser used, it may cause the browser to crash or +possibly execute arbitrary code. + +The get_cookie_info() and get_proxy_info() call +getFirstInTableInstance() with the instance_to_id_map hash as a +parameter. If instance_to_id_map is empty (which can happen when +plugin was recently removed), getFirstInTableInstance() returns an +uninitialized pointer. + +CVE-2012-3422 + +diff --git a/plugin/icedteanp/IcedTeaNPPlugin.cc b/plugin/icedteanp/IcedTeaNPPlugin.cc +--- a/plugin/icedteanp/IcedTeaNPPlugin.cc ++++ b/plugin/icedteanp/IcedTeaNPPlugin.cc +@@ -925,6 +925,11 @@ ITNP_URLNotify (NPP instance, const char + NPError + get_cookie_info(const char* siteAddr, char** cookieString, uint32_t* len) + { ++ // Only attempt to perform this operation if there is a valid plugin instance ++ if (g_hash_table_size(instance_to_id_map) <= 0) ++ { ++ return NPERR_GENERIC_ERROR; ++ } + #if MOZILLA_VERSION_COLLAPSED < 1090100 + nsresult rv; + nsCOMPtr sec_man = +@@ -1330,6 +1335,11 @@ int get_id_from_instance(NPP instance) + NPError + get_proxy_info(const char* siteAddr, char** proxy, uint32_t* len) + { ++ // Only attempt to perform this operation if there is a valid plugin instance ++ if (g_hash_table_size(instance_to_id_map) <= 0) ++ { ++ return NPERR_GENERIC_ERROR; ++ } + #if MOZILLA_VERSION_COLLAPSED < 1090100 + nsresult rv; + diff -Nru icedtea-web-1.2/debian/patches/icedtea-web-CVE-2012-3423.patch icedtea-web-1.2/debian/patches/icedtea-web-CVE-2012-3423.patch --- icedtea-web-1.2/debian/patches/icedtea-web-CVE-2012-3423.patch 1969-12-31 16:00:00.000000000 -0800 +++ icedtea-web-1.2/debian/patches/icedtea-web-CVE-2012-3423.patch 2012-08-03 21:09:52.000000000 -0700 @@ -0,0 +1,234 @@ +Origin: http://icedtea.classpath.org/hg/release/icedtea-web-1.2/rev/d7375e2a9076 + and http://icedtea.classpath.org/hg/release/icedtea-web-1.2/rev/d65bd94e0ba9 +Subject: incorrect handling of not 0-terminated strings + +# HG changeset patch +# User Deepak Bhole +# Date 1338581118 14400 +# Node ID d7375e2a907697655e5b3051b1bf901256b2c73b +# Parent 0cdefd555de730965406802416044b4fb5ef02eb +Fixed PR863: Error passing strings to applet methods in Chromium + + PR863: Error passing strings to applet methods in Chromium + * plugin/icedteanp/IcedTeaJavaRequestProcessor.cc + (createJavaObjectFromVariant): Account for length of the characters. + * plugin/icedteanp/IcedTeaNPPlugin.cc (plugin_get_documentbase): Same. + * plugin/icedteanp/IcedTeaPluginRequestProcessor.cc (_eval): Print the + string's c_str rather than utf8characters/ + * plugin/icedteanp/IcedTeaPluginUtils.cc (printNPVariant): Account for + length of the characters. + (NPVariantToString): Same. + (isObjectJSArray): Same. + +# HG changeset patch +# User Adam Domurad +# Date 1339177465 14400 +# Node ID d65bd94e0ba9b7c8b9051c7d471b55c2c74ea3f4 +# Parent d7375e2a907697655e5b3051b1bf901256b2c73b +fixes PR518, ensures null termination of strings based off of NPVariant results. + + This patch fixes PR518, ensures null termination of strings based off + of NPVariant results. + * NEWS: Added line about fixing PR518 + * plugin/icedteanp/IcedTeaPluginUtils.h: Added declaration of + NPVariantAsString + * plugin/icedteanp/IcedTeaPluginUtils.cc + (NPVariantAsString): New. Converts an NPVariant to a + std::string, assumes it is a string. + (isObjectJSArray): Now uses NPVariantAsString, minor cleanup. + * plugin/icedteanp/IcedTeaJavaRequestProcessor.cc + (plugin_get_documentbase): Now uses NPVariantAsString. + * plugin/icedteanp/IcedTeaNPPlugin.cc + (NPVariantToString): Now uses NPVariantAsString, minor cleanup. + +It was discovered that the IcedTea-Web web browser plugin incorrectly +assumed that all strings provided by browser are NUL terminated, which +is not guaranteed by the NPAPI (Netscape Plugin Application Programming +Interface). When used in a browser that does not NUL terminate +NPVariant NPStrings, this could lead to buffer over-read or over-write, +resulting in possible information leak, crash, or code execution. + +Mozilla browsers currently NUL terminate strings, however recent +Chrome versions are known not to provide NUL terminated data. + +CVE-2012-3423 + +[Ubuntu note: patch differs from upstream commits in that they have been + merged into a single patch and the Changelog and NEWS entries have been + pulled out to reduce patch conflicts. --sbeattie] + +--- + plugin/icedteanp/IcedTeaJavaRequestProcessor.cc | 6 -- + plugin/icedteanp/IcedTeaNPPlugin.cc | 9 +--- + plugin/icedteanp/IcedTeaPluginRequestProcessor.cc | 4 - + plugin/icedteanp/IcedTeaPluginUtils.cc | 45 ++++++++++------------ + plugin/icedteanp/IcedTeaPluginUtils.h | 3 + + 5 files changed, 32 insertions(+), 35 deletions(-) + +Index: b/plugin/icedteanp/IcedTeaJavaRequestProcessor.cc +=================================================================== +--- a/plugin/icedteanp/IcedTeaJavaRequestProcessor.cc ++++ b/plugin/icedteanp/IcedTeaJavaRequestProcessor.cc +@@ -904,11 +904,7 @@ createJavaObjectFromVariant(NPP instance + } else if (NPVARIANT_IS_STRING(variant)) + { + className = "java.lang.String"; +-#if MOZILLA_VERSION_COLLAPSED < 1090200 +- stringArg += NPVARIANT_TO_STRING(variant).utf8characters; +-#else +- stringArg += NPVARIANT_TO_STRING(variant).UTF8Characters; +-#endif ++ stringArg = IcedTeaPluginUtilities::NPVariantAsString(variant); + } else if (NPVARIANT_IS_OBJECT(variant)) + { + +Index: b/plugin/icedteanp/IcedTeaNPPlugin.cc +=================================================================== +--- a/plugin/icedteanp/IcedTeaNPPlugin.cc ++++ b/plugin/icedteanp/IcedTeaNPPlugin.cc +@@ -1098,12 +1098,10 @@ plugin_get_documentbase (NPP instance) + browser_functions.getproperty(instance, NPVARIANT_TO_OBJECT(location), + href_id, &href); + ++ std::string href_str = IcedTeaPluginUtilities::NPVariantAsString(href); ++ + // Strip everything after the last "/" +-#if MOZILLA_VERSION_COLLAPSED < 1090200 +- gchar** parts = g_strsplit (NPVARIANT_TO_STRING(href).utf8characters, "/", -1); +-#else +- gchar** parts = g_strsplit (NPVARIANT_TO_STRING(href).UTF8Characters, "/", -1); +-#endif ++ gchar** parts = g_strsplit (href_str.c_str(), "/", -1); + guint parts_sz = g_strv_length (parts); + + std::string location_str; +@@ -1118,6 +1116,7 @@ plugin_get_documentbase (NPP instance) + // Release references. + browser_functions.releasevariantvalue(&href); + browser_functions.releasevariantvalue(&location); ++ g_strfreev(parts); + cleanup_done: + PLUGIN_DEBUG ("plugin_get_documentbase return\n"); + PLUGIN_DEBUG("plugin_get_documentbase returning: %s\n", documentbase_copy); +Index: b/plugin/icedteanp/IcedTeaPluginRequestProcessor.cc +=================================================================== +--- a/plugin/icedteanp/IcedTeaPluginRequestProcessor.cc ++++ b/plugin/icedteanp/IcedTeaPluginRequestProcessor.cc +@@ -842,12 +842,12 @@ _eval(void* data) + script.utf8characters = script_str->c_str(); + script.utf8length = script_str->size(); + +- PLUGIN_DEBUG("Evaluating: %s\n", script.utf8characters); ++ PLUGIN_DEBUG("Evaluating: %s\n", script_str->c_str()); + #else + script.UTF8Characters = script_str->c_str(); + script.UTF8Length = script_str->size(); + +- PLUGIN_DEBUG("Evaluating: %s\n", script.UTF8Characters); ++ PLUGIN_DEBUG("Evaluating: %s\n", script_str->c_str()); + #endif + + ((AsyncCallThreadData*) data)->call_successful = browser_functions.evaluate(instance, window_ptr, &script, eval_variant); +Index: b/plugin/icedteanp/IcedTeaPluginUtils.cc +=================================================================== +--- a/plugin/icedteanp/IcedTeaPluginUtils.cc ++++ b/plugin/icedteanp/IcedTeaPluginUtils.cc +@@ -668,11 +668,8 @@ IcedTeaPluginUtilities::printNPVariant(N + } + else if (NPVARIANT_IS_STRING(variant)) + { +-#if MOZILLA_VERSION_COLLAPSED < 1090200 +- PLUGIN_DEBUG("STRING: %s\n", NPVARIANT_TO_STRING(variant).utf8characters); +-#else +- PLUGIN_DEBUG("STRING: %s\n", NPVARIANT_TO_STRING(variant).UTF8Characters); +-#endif ++ std::string str = IcedTeaPluginUtilities::NPVariantAsString(variant); ++ PLUGIN_DEBUG("STRING: %s (length=%d)\n", str.c_str(), str.size()); + } + else + { +@@ -684,7 +681,7 @@ void + IcedTeaPluginUtilities::NPVariantToString(NPVariant variant, std::string* result) + { + char* str = (char*) malloc(sizeof(char)*32); // enough for everything except string +- ++ bool was_string_already = false; + if (NPVARIANT_IS_VOID(variant)) + { + sprintf(str, "%p", variant); +@@ -710,21 +707,15 @@ IcedTeaPluginUtilities::NPVariantToStrin + } + else if (NPVARIANT_IS_STRING(variant)) + { +- free(str); +-#if MOZILLA_VERSION_COLLAPSED < 1090200 +- str = (char*) malloc(sizeof(char)*NPVARIANT_TO_STRING(variant).utf8length); +- sprintf(str, "%s", NPVARIANT_TO_STRING(variant).utf8characters); +-#else +- str = (char*) malloc(sizeof(char)*NPVARIANT_TO_STRING(variant).UTF8Length); +- sprintf(str, "%s", NPVARIANT_TO_STRING(variant).UTF8Characters); +-#endif ++ result->append(IcedTeaPluginUtilities::NPVariantAsString(variant)); ++ was_string_already = true; + } + else + { + sprintf(str, "[Object %p]", variant); + } +- +- result->append(str); ++ if (!was_string_already) ++ result->append(str); + free(str); + } + +@@ -864,13 +855,7 @@ IcedTeaPluginUtilities::isObjectJSArray( + browser_functions.invoke(instance, constructor, toString, NULL, 0, &constructor_str); + IcedTeaPluginUtilities::printNPVariant(constructor_str); + +- std::string constructor_name = std::string(); +- +-#if MOZILLA_VERSION_COLLAPSED < 1090200 +- constructor_name.append(NPVARIANT_TO_STRING(constructor_str).utf8characters); +-#else +- constructor_name.append(NPVARIANT_TO_STRING(constructor_str).UTF8Characters); +-#endif ++ std::string constructor_name = IcedTeaPluginUtilities::NPVariantAsString(constructor_str); + + PLUGIN_DEBUG("Constructor for NPObject is %s\n", constructor_name.c_str()); + +@@ -913,6 +898,20 @@ IcedTeaPluginUtilities::decodeURL(const + PLUGIN_DEBUG("SENDING URL: %s\n", *decoded_url); + } + ++/* Copies a variant data type into a C++ string */ ++std::string ++IcedTeaPluginUtilities::NPVariantAsString(NPVariant variant) ++{ ++#if MOZILLA_VERSION_COLLAPSED < 1090200 ++ return std::string(( ++ NPVARIANT_TO_STRING(variant).utf8characters, ++ NPVARIANT_TO_STRING(variant).utf8ength); ++#else ++ return std::string( ++ NPVARIANT_TO_STRING(variant).UTF8Characters, ++ NPVARIANT_TO_STRING(variant).UTF8Length); ++#endif ++} + + /** + * Posts a function for execution on the plug-in thread and wait for result. +Index: b/plugin/icedteanp/IcedTeaPluginUtils.h +=================================================================== +--- a/plugin/icedteanp/IcedTeaPluginUtils.h ++++ b/plugin/icedteanp/IcedTeaPluginUtils.h +@@ -205,6 +205,9 @@ class IcedTeaPluginUtilities + /* Converts the given integer to a string */ + static void itoa(int i, std::string* result); + ++ /* Copies a variant data type into a C++ string */ ++ static std::string NPVariantAsString(NPVariant variant); ++ + /* Frees the given vector and the strings that its contents point to */ + static void freeStringPtrVector(std::vector* v); + diff -Nru icedtea-web-1.2/debian/patches/series icedtea-web-1.2/debian/patches/series --- icedtea-web-1.2/debian/patches/series 2012-04-09 07:30:54.000000000 -0700 +++ icedtea-web-1.2/debian/patches/series 2012-08-03 21:10:01.000000000 -0700 @@ -1,3 +1,6 @@ javaws_change_java_policy.diff gcc-option-order.diff hg-updates.diff +icedtea-web-CVE-2012-3422.patch +icedtea-web-CVE-2012-3423.patch +fix-plugin-error-on-chromium.patch