Closed
Bug 468668
Opened 16 years ago
Closed 15 years ago
Investigate crash [@ XPC_WN_Equality][@ UserCallWinProcCheckWow] when loading/unloading Adobe objects through EMBED
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: bsterne, Unassigned)
References
()
Details
(Whiteboard: [sg:needinfo] can't repro?)
This issue was reported to the security@m.o. alias and I can confirm that it does produce a crash using Firefox 3.0.4 on Windows XP (it requires the Adobe Acrobat plugin to be installed). http://crash-stats.mozilla.com/report/index/b3f0ea72-3146-45f1-8ce1-4d2b72081209?p=1 The stack in the crash report isn't very enlightening since the crash occurs in the unloaded plugin module. Hopefully someone with a Windows debug build can help investigate here. From the report: ----- I've found that loading/unloading various Adobe objects using their mime type and an EMBED tag causes memory corruption in FireFox. Here are repro's for all mime types I've found to be affected: http://skypher.com/SkyLined/Repro/COM/Object%20instantiation/EMBED%20type%20manual.html?application/pdf http://skypher.com/SkyLined/Repro/COM/Object%20instantiation/EMBED%20type%20manual.html?application/vnd.adobe.xdp+xml http://skypher.com/SkyLined/Repro/COM/Object%20instantiation/EMBED%20type%20manual.html?application/vnd.adobe.xfd+xml http://skypher.com/SkyLined/Repro/COM/Object%20instantiation/EMBED%20type%20manual.html?application/vnd.adobe.xfdf http://skypher.com/SkyLined/Repro/COM/Object%20instantiation/EMBED%20type%20manual.html?application/vnd.fdf This does not appear to affect any other browser. However, when I load the repro in other browsers, I do hear an audio alert, after which it appears the object no longer loads in the browser. I believe that this is a bug as well, but it does not seem to have direct security implications. A similar issue affects VLC player objects, for which I've sent a separate email to the appropriate people. This makes it more likely that the issue is in FireFox and not the Adobe objects. -----
Comment 1•16 years ago
|
||
Related to bug 434593?
Comment 2•16 years ago
|
||
If the VLC player object is a problem without every having loaded PDFs, then it's not related to 434593 since that needs PDFs loaded to trigger. Is there a separate bug for the VLC objects with more details?
The VLC issue is unrelated to the PDF issue in that you do not need one to trigger the bug in the other and vice versa. I thought it may be a similar flaw or even trigger the exact same flaw in FireFox code, which is why I mentioned it. The most recent version of VLC fixes the issue there. Afaik, there is no bugzilla entry for that bug.
Comment 4•16 years ago
|
||
I can no longer connect to skypher.com to test this ("The server is taking too long to respond"). Is anyone else able to connect?
Updated•16 years ago
|
Whiteboard: [sg:needinfo] can't repro?
Below is the code for the page in case you still can't connect to it. Save this to a HTML file and open it in FireFox. It is a generic test so you'll need to specify a mimetype to test in the URL. The original repro URLs I reported will tell you which mimetypes trigger the bug. <BODY onload=go()></BODY> <SCRIPT> var sMimeType = null, sHTML = null, iCounter = 100; if (location.search) { sMimeType = location.search.replace(/[\?\<\'\"]/g, "") } if (sMimeType) { sHTML = sMimeType + " <EMBED type='" + sMimeType + "'></EMBED>"; } else { location = "?" + prompt("Mime type?", ""); } function go() { if (sMimeType && iCounter > 0) { iCounter--; document.body.innerHTML = iCounter.toString() + sHTML + sHTML + sHTML + sHTML + sHTML + sHTML; setTimeout(go, 0); } else if (sMimeType) { location.reload(); } } </SCRIPT>
Comment 7•16 years ago
|
||
I got these breakpad stacks when trying out the testcase: http://crash-stats.mozilla.com/report/index/d55628cb-055d-4bfe-9446-547db2081215?p=1 0 xul.dll XPC_WN_Equality js/src/xpconnect/src/xpcwrappednativejsops.cpp:760 1 xul.dll nsAttrValue::Reset 2 @0x7ffdfbff And: http://crash-stats.mozilla.com/report/index/3da0e974-b37b-45c2-9413-242aa2081215?p=1 0 @0x1 1 user32.dll UserCallWinProcCheckWow 2 user32.dll CallWindowProcAorW 3 user32.dll CallWindowProcA 4 nppdf32.dll nppdf32.dll@0x67af 5 user32.dll InternalCallWinProc 6 user32.dll UserCallWinProcCheckWow 7 user32.dll DispatchClientMessage 8 user32.dll __fnDWORD 9 ntdll.dll KiUserCallbackDispatcher 10 nppdf32.dll nppdf32.dll@0x66a5 11 user32.dll DispatchMessageW 12 xul.dll nsAppShell::ProcessNextNativeEvent widget/src/windows/nsAppShell.cpp:149 13 winmm.dll timeGetTime
Summary: Investigate crash when loading/unloading Adobe objects through EMBED → Investigate crash [@ XPC_WN_Equality][@ UserCallWinProcCheckWow] when loading/unloading Adobe objects through EMBED
Comment 8•16 years ago
|
||
I get the second crash listed above, and that definitely the same cause as 434593. I haven't been able to reproduce to get the first crash stack, but it's possible it's the same because it's jumping into arbitrary code. If nobody objects, I'll mark this also as a duplicate of 434593.
I don't have access to 434593, so I can't help you make that decision.
Comment 10•15 years ago
|
||
This should be fixed with the new release of Reader/Acrobat 9.1. If you do apply that patch, please verify that the nppdf32.dll in the plugins folder is patched; it should be, but we have some reports that sometimes it is not.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Group: core-security
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•