Bug 616400 - When a plugin returns a failure code from NPP_New, but creates JS objects in the process, anyone trying to script those objects after NPP_New fails will crash (Silverlight crash @NPObjWrapper_NewResolve). Call nsJSNPRuntime::OnPluginDestroy on a failed-init case just as we do in a normal cleanup case. r=josh a=blocker
authorBenjamin Smedberg <benjamin@smedbergs.us>
Thu, 03 Feb 2011 16:10:45 -0500
changeset 61875 41258e566f2e5ccb14cee2c645635d9f811cc522
parent 61873 c1523d3f78410892b1750d98e414171ca4793fe3
child 61876 0ab68a939a4561e0674b9217ec5fae74c595c9a2
push idunknown
push userunknown
push dateunknown
reviewersjosh, blocker
bugs616400
milestone2.0b12pre
Bug 616400 - When a plugin returns a failure code from NPP_New, but creates JS objects in the process, anyone trying to script those objects after NPP_New fails will crash (Silverlight crash @NPObjWrapper_NewResolve). Call nsJSNPRuntime::OnPluginDestroy on a failed-init case just as we do in a normal cleanup case. r=josh a=blocker
modules/plugin/base/src/nsNPAPIPluginInstance.cpp
--- a/modules/plugin/base/src/nsNPAPIPluginInstance.cpp
+++ b/modules/plugin/base/src/nsNPAPIPluginInstance.cpp
@@ -409,29 +409,25 @@ nsNPAPIPluginInstance::InitializePlugin(
     return NS_ERROR_FAILURE;
 
   // Mark this instance as running before calling NPP_New because the plugin may
   // call other NPAPI functions, like NPN_GetURLNotify, that assume this is set
   // before returning. If the plugin returns failure, we'll clear it out below.
   mRunning = RUNNING;
 
   nsresult newResult = library->NPP_New((char*)mimetype, &mNPP, (PRUint16)mode, count, (char**)names, (char**)values, NULL, &error);
-  if (NS_FAILED(newResult)) {
-    mRunning = DESTROYED;
-    return newResult;
-  }
-
   mInPluginInitCall = oldVal;
 
   NPP_PLUGIN_LOG(PLUGIN_LOG_NORMAL,
   ("NPP New called: this=%p, npp=%p, mime=%s, mode=%d, argc=%d, return=%d\n",
   this, &mNPP, mimetype, mode, count, error));
 
-  if (error != NPERR_NO_ERROR) {
+  if (NS_FAILED(newResult) || error != NPERR_NO_ERROR) {
     mRunning = DESTROYED;
+    nsJSNPRuntime::OnPluginDestroy(&mNPP);
     return NS_ERROR_FAILURE;
   }
   
   return NS_OK;
 }
 
 NS_IMETHODIMP nsNPAPIPluginInstance::SetWindow(NPWindow* window)
 {