Check correct offset to avoid crash...

chrome_frame/chrome_frame_activex_base.h

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CHROME_FRAME_CHROME_FRAME_ACTIVEX_BASE_H_
 #define CHROME_FRAME_CHROME_FRAME_ACTIVEX_BASE_H_
 
 #include <atlbase.h>
 #include <atlcom.h>
 #include <atlctl.h>
@@ skipping 900 matching lines @@
     // 0x80020101 == SCRIPT_E_REPORTED.
     // When the script we're invoking has an error, we get this error back.
     DLOG_IF(ERROR, FAILED(hr) && hr != 0x80020101) << "Failed to invoke script";
     return hr;
   }
 
   // Gives the browser a chance to handle an accelerator that was
   // sent to the out of proc chromium instance.
   // Returns S_OK iff the accelerator was handled by the browser.
   HRESULT AllowFrameToTranslateAccelerator(const MSG& msg) {
-    static const int kMayTranslateAcceleratorOffset = 0x170;
+    static const int kMayTranslateAcceleratorOffset = 0x5c;
     // Although IBrowserService2 is officially deprecated, it's still alive
     // and well in IE7 and earlier.  We have to use it here to correctly give
     // the browser a chance to handle keyboard shortcuts.
     // This happens automatically for activex components that have windows that
     // belong to the current thread.  In that circumstance IE owns the message
     // loop and can walk the line of components allowing each participant the
     // chance to handle the keystroke and eventually falls back to
     // v_MayTranslateAccelerator.  However in our case, the message loop is
     // owned by the out-of-proc chromium instance so IE doesn't have a chance to
     // fall back on its default behavior.  Instead we give IE a chance to
     // handle the shortcut here.
     MSG accel_message = msg;
     accel_message.hwnd = ::GetParent(m_hWnd);
     HRESULT hr = S_FALSE;
     ScopedComPtr<IBrowserService2> bs2;
     // The code below explicitly checks for whether the
     // IBrowserService2::v_MayTranslateAccelerator function is valid. On IE8
     // there is one vtable ieframe!c_ImpostorBrowserService2Vtbl where this
     // function entry is NULL which leads to a crash. We don't know under what
     // circumstances this vtable is actually used though.
     if (S_OK == DoQueryService(SID_STopLevelBrowser, m_spInPlaceSite,
                                bs2.Receive()) && bs2.get() &&
-                               (bs2 + kMayTranslateAcceleratorOffset)) {
+                               *(reinterpret_cast<long*>(bs2.get()) +
+                                   kMayTranslateAcceleratorOffset)) {
       hr = bs2->v_MayTranslateAccelerator(&accel_message);
     } else {
       // IE8 doesn't support IBrowserService2 unless you enable a special,
       // undocumented flag with CoInternetSetFeatureEnabled and even then,
       // the object you get back implements only a couple of methods of
       // that interface... all the other entries in the vtable are NULL.
       // In addition, the class that implements it is called
       // ImpostorBrowserService2 :)
       // IE8 does have a new interface though, presumably called
       // ITabBrowserService or something that can be abbreviated to TBS.
@@ skipping 174 matching lines @@
   EventHandlers onreadystatechanged_;
   EventHandlers onprivatemessage_;
   EventHandlers onextensionready_;
 
   // Handle network requests when host network stack is used. Passed to the
   // automation client on initialization.
   UrlmonUrlRequestManager url_fetcher_;
 };
 
 #endif  // CHROME_FRAME_CHROME_FRAME_ACTIVEX_BASE_H_