2008-11-22 10:43  Gwenole Beauchesne <gb.public@free.fr>

	* src/npw-wrapper.c: Fix NPN_ReleaseObject() reply, i.e. don't
	  dereference npobj after the real call to NPN handler as it could
	  be deallocated.

Index: src/npw-wrapper.c
===================================================================
--- src/npw-wrapper.c	(revision 735)
+++ src/npw-wrapper.c	(working copy)
@@ -912,9 +912,15 @@
   if (npobj == NULL) // this shall not happen, let it crash
 	npw_printf("ERROR: NPN_ReleaseObject got a null NPObject\n");
 
+  /* Decrement reference count here so that we don't depend on a
+   * (possibly) deallocated NPObject afterwards, when we send the
+   * value in the RPC reply
+   */
+  uint32_t refcount = npobj->referenceCount - 1;
+
   NPN_ReleaseObject(npobj);
 
-  return rpc_method_send_reply(connection, RPC_TYPE_UINT32, npobj->referenceCount, RPC_TYPE_INVALID);
+  return rpc_method_send_reply(connection, RPC_TYPE_UINT32, refcount, RPC_TYPE_INVALID);
 }
 
 // NPN_Invoke