Origin: upstream
Subject: getvalueforurl uninitialized instance pointer

An uninitialized pointer use flaw was found in IcedTea-Web web
browser plugin.  A malicious web page could use this flaw make
IcedTea-Web browser plugin pass invalid pointer to a web browser.
Depending on the browser used, it may cause the browser to crash or
possibly execute arbitrary code.

The get_cookie_info() and get_proxy_info() call
getFirstInTableInstance() with the instance_to_id_map hash as a
parameter.  If instance_to_id_map is empty (which can happen when
plugin was recently removed), getFirstInTableInstance() returns an
uninitialized pointer.

CVE-2012-3422

diff --git a/plugin/icedteanp/IcedTeaNPPlugin.cc b/plugin/icedteanp/IcedTeaNPPlugin.cc
--- a/plugin/icedteanp/IcedTeaNPPlugin.cc
+++ b/plugin/icedteanp/IcedTeaNPPlugin.cc
@@ -925,6 +925,11 @@ ITNP_URLNotify (NPP instance, const char
 NPError
 get_cookie_info(const char* siteAddr, char** cookieString, uint32_t* len)
 {
+  // Only attempt to perform this operation if there is a valid plugin instance
+  if (g_hash_table_size(instance_to_id_map) <= 0)
+  {
+    return NPERR_GENERIC_ERROR;
+  }
 #if MOZILLA_VERSION_COLLAPSED < 1090100
   nsresult rv;
   nsCOMPtr<nsIScriptSecurityManager> sec_man =
@@ -1330,6 +1335,11 @@ int get_id_from_instance(NPP instance)
 NPError
 get_proxy_info(const char* siteAddr, char** proxy, uint32_t* len)
 {
+  // Only attempt to perform this operation if there is a valid plugin instance
+  if (g_hash_table_size(instance_to_id_map) <= 0)
+  {
+	  return NPERR_GENERIC_ERROR;
+  }
 #if MOZILLA_VERSION_COLLAPSED < 1090100
   nsresult rv;