browser-plugin: The NPObject returned by NPP_GetValue should be retained

The Mozilla documentation says: "And as always when working with
reference counted NPObjects, the caller is responsible for calling
NPN_ReleaseObject on the NPObject to drop the reference."

Browsers assume that the plugin does the right thing and always call
NPN_ReleaseObject. At some point the object is released and deallocated
and both the plugin and browser still have references to the object
thinking that it's still alive. That's why the crash is sometimes in the
plugin when it tries to use the np object, and sometimes in the browser.

https://bugzilla.gnome.org/post_bug.cgi
This commit is contained in:
Carlos Garcia Campos 2016-10-28 15:33:11 +02:00 committed by Carlos Garcia Campos
parent d81a6bdf41
commit d5c0514e21

View File

@ -1029,6 +1029,7 @@ NPP_GetValue(NPP instance,
if (!instance->pdata) if (!instance->pdata)
return NPERR_INVALID_INSTANCE_ERROR; return NPERR_INVALID_INSTANCE_ERROR;
funcs.retainobject (instance->pdata);
*(NPObject**)value = instance->pdata; *(NPObject**)value = instance->pdata;
break; break;