summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSamuel Lidén Borell <samuel@slbdata.se>2010-12-03 00:12:53 +0100
committerSamuel Lidén Borell <samuel@slbdata.se>2010-12-03 00:12:53 +0100
commit1fc3089f2b11b705d14e391824e0340a964c40e4 (patch)
tree7f933945509ddfbbe0d7f07be85d49ff1d214379
parent26495bdcf595f2bb23500f755ecb5f8aa021917f (diff)
downloadfribid-1fc3089f2b11b705d14e391824e0340a964c40e4.tar.gz
fribid-1fc3089f2b11b705d14e391824e0340a964c40e4.tar.bz2
fribid-1fc3089f2b11b705d14e391824e0340a964c40e4.zip
Check the correct parameters in SetParam
This error was introduced by commit f2f771cf891abac6120060bd52c3b879f0620f92 . It hasn't been included in any stable release. SetParam calls IS_CALL_2, which in turn call ARG which has a bug. This could cause problems if the second parameter is not a string and the code casts it to a string pointer and a length value. It does survive the input fuzzer, but it might crash or leak data with carefully crafted data.
-rw-r--r--plugin/pluginutil.h2
1 files changed, 1 insertions, 1 deletions
diff --git a/plugin/pluginutil.h b/plugin/pluginutil.h
index fad782b..ce95b01 100644
--- a/plugin/pluginutil.h
+++ b/plugin/pluginutil.h
@@ -19,7 +19,7 @@ bool copyIdentifierName(NPIdentifier ident, char *name, size_t maxLength);
#define IS_CALL(NAME, ARGCOUNT) (!strcmp(name, (NAME)) && (argCount == (ARGCOUNT)))
-#define ARG(N, TYPE) NPVARIANT_IS_##TYPE(args[0])
+#define ARG(N, TYPE) NPVARIANT_IS_##TYPE(args[N])
#define IS_CALL_0(NAME) IS_CALL((NAME), 0)
#define IS_CALL_1(NAME, T1) (IS_CALL((NAME), 1) && ARG(0, T1))