2008-11-03 23:04  Gwenole Beauchesne <gb.public@free.fr>

	* src/npw-wrapper.c: Don't try to NPP_Write() erroneous buffers of
	  supposedly negative length.
	  
	  Actually, we can get to that case if NPP_WriteReady() returned
	  -1 or another negative value, in general. Some browsers
	  (Konqueror, Google Chrome) send data through NPP_Write() anyway.
	  Others (Firefox, WebKit) actually suspend the stream temporarily.
	  
	  Note that returning -1 here will destroy the stream. This is
	  compatible with the expected behaviour. e.g. the DiamondX test
	  plugin wants that. Is there any other "real" plugin in that case
	  too?

Index: src/npw-wrapper.c
===================================================================
--- src/npw-wrapper.c	(revision 702)
+++ src/npw-wrapper.c	(revision 703)
@@ -1880,6 +1880,21 @@
   if (plugin == NULL)
 	return -1;
 
+  /* Don't try to propagate erroneous buffers.
+   *
+   * Actually, we can get to that case if NPP_WriteReady() returned -1
+   * or another negative value, in general. Some browsers (Konqueror,
+   * Google Chrome) send data through NPP_Write() anyway. Others
+   * (Firefox, WebKit) actually suspend the stream temporarily.
+   *
+   * Note that returning -1 here will destroy the stream. This is
+   * compatible with the expected behaviour. e.g. the DiamondX test
+   * plugin wants that. Is there any other "real" plugin in that case
+   * too?
+   */
+  if (len < 0)
+	return -1;
+
   D(bug("NPP_Write instance=%p\n", instance));
   int32 ret = invoke_NPP_Write(plugin, stream, offset, len, buf);
   D(bug(" return: %d\n", ret));