Mozilla CVE-2010-1198 Java Plugin Wild Pointer Crash Fix

Key Information Extraction Vulnerability Overview Title: Investigate crash caused by Java plug-in using deleted WMP plug-in object (MSVR-09-0049) CVE ID: CVE-2010-1198 Resolution Status: RESOLVED FIXED Type: defect Severity: normal Vulnerability Details Cause: Plugin A may reference the NPObjgrct of another plugin B. When plugin B is uninstalled from the page, plugin A ends up with a dangling pointer to a freed NPObjgrct, leading to a crash. Proposed Fix Solution: When passing NPObjgrct belonging to a different instance, use double wrapping instead of direct unwrapping. This means other plugins receive a reference to nsJSObjWrapper, avoiding direct references to NPObjgrct that may be destroyed. Testing and Review Test Links: Code, Test Review: The patch underwent multiple reviews and revisions, and was eventually merged into the 1.9.2 and Lorentz branches. Impact and Follow-up Risk Assessment: The code change is simple, but carries risk in terms of impact, especially since two instances of the same plugin now receive wrapped objects instead of native objects. Follow-up Actions: - Apply the fix to other branches. - Submit additional test cases to evaluate the effectiveness of the fix. - Monitor newly reported crashes related to the JS engine; may require opening a new issue to track. - Potential null-dereference crashes may need to be reclassified as 4.0 fixes, and new bugs created for related issues.

Goal Reached Thanks to every supporter — we hit 100%!

Mozilla CVE-2010-1198 Java Plugin Wild Pointer Crash Fix