From 3989b372084757661418b0189d074c1af3314035 Mon Sep 17 00:00:00 2001
From: James Willcox <jwillcox@mozilla.com>
Date: Wed, 23 Jan 2013 09:16:26 -0500
Subject: [PATCH] Bug 800838 - Guard against invalid NPP when unscheduling
 plugin timers on Android r=blassey

---
 dom/plugins/base/nsNPAPIPlugin.cpp         |  6 ++++++
 dom/plugins/base/nsNPAPIPluginInstance.cpp | 21 +++++++++++++++++++++
 dom/plugins/base/nsNPAPIPluginInstance.h   |  2 ++
 3 files changed, 29 insertions(+)

diff --git a/dom/plugins/base/nsNPAPIPlugin.cpp b/dom/plugins/base/nsNPAPIPlugin.cpp
index 6d0c3e5c653d..4a8d48d27749 100644
--- a/dom/plugins/base/nsNPAPIPlugin.cpp
+++ b/dom/plugins/base/nsNPAPIPlugin.cpp
@@ -2813,7 +2813,13 @@ _scheduletimer(NPP instance, uint32_t interval, NPBool repeat, PluginTimerFunc t
 void NP_CALLBACK
 _unscheduletimer(NPP instance, uint32_t timerID)
 {
+#ifdef MOZ_WIDGET_ANDROID
+  // Sometimes Flash calls this with a dead NPP instance. Ensure the one we have
+  // here is valid and maps to a nsNPAPIPluginInstance.
+  nsNPAPIPluginInstance *inst = nsNPAPIPluginInstance::GetFromNPP(instance);
+#else
   nsNPAPIPluginInstance *inst = (nsNPAPIPluginInstance *)instance->ndata;
+#endif
   if (!inst)
     return;
 
diff --git a/dom/plugins/base/nsNPAPIPluginInstance.cpp b/dom/plugins/base/nsNPAPIPluginInstance.cpp
index bd8b84c9860c..63162328b2ba 100644
--- a/dom/plugins/base/nsNPAPIPluginInstance.cpp
+++ b/dom/plugins/base/nsNPAPIPluginInstance.cpp
@@ -151,6 +151,8 @@ private:
   Mutex mLock;
 };
 
+static std::map<NPP, nsNPAPIPluginInstance*> sPluginNPPMap;
+
 #endif
 
 using namespace mozilla;
@@ -190,12 +192,20 @@ nsNPAPIPluginInstance::nsNPAPIPluginInstance()
   mNPP.ndata = this;
 
   PLUGIN_LOG(PLUGIN_LOG_BASIC, ("nsNPAPIPluginInstance ctor: this=%p\n",this));
+
+#ifdef MOZ_WIDGET_ANDROID
+  sPluginNPPMap[&mNPP] = this;
+#endif
 }
 
 nsNPAPIPluginInstance::~nsNPAPIPluginInstance()
 {
   PLUGIN_LOG(PLUGIN_LOG_BASIC, ("nsNPAPIPluginInstance dtor: this=%p\n",this));
 
+#ifdef MOZ_WIDGET_ANDROID
+  sPluginNPPMap.erase(&mNPP);
+#endif
+
   if (mMIMEType) {
     PR_Free((void *)mMIMEType);
     mMIMEType = nullptr;
@@ -1052,6 +1062,17 @@ void nsNPAPIPluginInstance::SetInverted(bool aInverted)
   mInverted = aInverted;
 }
 
+nsNPAPIPluginInstance* nsNPAPIPluginInstance::GetFromNPP(NPP npp)
+{
+  std::map<NPP, nsNPAPIPluginInstance*>::iterator it;
+
+  it = sPluginNPPMap.find(npp);
+  if (it == sPluginNPPMap.end())
+    return nullptr;
+
+  return it->second;
+}
+
 #endif
 
 nsresult nsNPAPIPluginInstance::GetDrawingModel(int32_t* aModel)
diff --git a/dom/plugins/base/nsNPAPIPluginInstance.h b/dom/plugins/base/nsNPAPIPluginInstance.h
index ef554b043d65..c819056c2c17 100644
--- a/dom/plugins/base/nsNPAPIPluginInstance.h
+++ b/dom/plugins/base/nsNPAPIPluginInstance.h
@@ -207,6 +207,8 @@ public:
 
   void SetInverted(bool aInverted);
   bool Inverted() { return mInverted; }
+
+  static nsNPAPIPluginInstance* GetFromNPP(NPP npp);
 #endif
 
   nsresult NewStreamListener(const char* aURL, void* notifyData,