Bug 582012 - register identifiers in the ID maps when they are created by the browser, so that a plugin never sees two identifiers for the same string/integer, r=bent

dom/plugins/PluginModuleChild.cpp

@@ -1611,15 +1611,17 @@ PluginModuleChild::AllocPPluginIdentifier(const nsCString& aString,
 
     if (aString.IsVoid()) {
         newActor = new PluginIdentifierChildInt(aInt);
-        if (mIntIdentifiers.Get(aInt, &existingActor)) {
+        if (mIntIdentifiers.Get(aInt, &existingActor))
             newActor->SetCanonicalIdentifier(existingActor);
-        }
+        else
+            mIntIdentifiers.Put(aInt, newActor);
     }
     else {
         newActor = new PluginIdentifierChildString(aString);
-        if (mStringIdentifiers.Get(aString, &existingActor)) {
+        if (mStringIdentifiers.Get(aString, &existingActor))
             newActor->SetCanonicalIdentifier(existingActor);
-        }
+        else
+            mStringIdentifiers.Put(aString, newActor);
     }
     return newActor;
 }

modules/plugin/test/testplugin/nptest.cpp

@@ -93,14 +93,18 @@ NoteIntentionalCrash()
   }
 }
 
+static void Crash()
+{
+  int *pi = NULL;
+  *pi = 55; // Crash dereferencing null pointer
+  ++gCrashCount;
+}
+
 static void
 IntentionalCrash()
 {
   NoteIntentionalCrash();
-
-  int *pi = NULL;
-  *pi = 55; // Crash dereferencing null pointer
-  ++gCrashCount;
+  Crash();
 }
 
 //
@@ -1654,6 +1658,14 @@ scriptableInvokeDefault(NPObject* npobj, const NPVariant* args, uint32_t argCoun
 bool
 scriptableHasProperty(NPObject* npobj, NPIdentifier name)
 {
+  if (NPN_IdentifierIsString(name)) {
+    if (NPN_GetStringIdentifier(NPN_UTF8FromIdentifier(name)) != name)
+      Crash();
+  }
+  else {
+    if (NPN_GetIntIdentifier(NPN_IntFromIdentifier(name)) != name)
+      Crash();
+  }
   for (int i = 0; i < int(ARRAY_LENGTH(sPluginPropertyIdentifiers)); i++) {
     if (name == sPluginPropertyIdentifiers[i])
       return true;