446034 - Crash when streaming mjpegs are stopped at the server side and then restarted.

Status: RESOLVED DUPLICATE of bug 443714

(Core :: Graphics: ImageLib, defect)

Description

[zakalwe]

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.0.1) Gecko/2008071815 (Gentoo) Firefox/3.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.0.1) Gecko/2008071815 (Gentoo) Firefox/3.0.1

Using zoneminder I can consistantly crash firefox with evidence of memory corruption. Specifically:

PAX: execution attempt in: <NULL>, 00000000-00000000 00000000
PAX: terminating task: /usr/lib64/mozilla-firefox/firefox(firefox):23224, uid/euid: 1000/1000, PC: 0000000000000131, SP: 00007694c3aab5d8
PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 
PAX: bytes at SP-8:



Reproducible: Always

Steps to Reproduce:
1) Open up zoneminder in a tab and open one of the streaming camera views.

2) Close all the zoneminder tabs

3) Stop zoneminder on the server

4) Start zoneminder on the server

5) Firefox Crashes.
Actual Results:  
PAX: execution attempt in: <NULL>, 00000000-00000000 00000000
PAX: terminating task: /usr/lib64/mozilla-firefox/firefox(firefox):23224, uid/euid: 1000/1000, PC: 0000000000000131, SP: 00007694c3aab5d8
PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 
PAX: bytes at SP-8:

Expected Results:  
I expect the mjpeg streams to be closed when the tabs have been closed, but I believe there is another open bug for this problem.  Other than that, I expect firefox not to crash.

I am not entirely sure this is exploitable or not because I do not really have the time to debug it and work out if any of the memory corruption can be controlled by the attacker.  But I'm going to err on the side of caution and mark this as a security bug so that you can determine that.

Comment 1

[zakalwe]

Attachment: Stacktrace in gdb of the crash

I couldn't get this to crash with debugging options turned on in the configure, but I hope the above is useful.