Closed Bug 468668 Opened 16 years ago Closed 15 years ago

Investigate crash [@ XPC_WN_Equality][@ UserCallWinProcCheckWow] when loading/unloading Adobe objects through EMBED

Categories

(Core Graveyard :: Plug-ins, defect)

1.9.0 Branch
x86
Windows XP
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: bsterne, Unassigned)

References

()

Details

(Whiteboard: [sg:needinfo] can't repro?)

This issue was reported to the security@m.o. alias and I can confirm that it does produce a crash using Firefox 3.0.4 on Windows XP (it requires the Adobe Acrobat plugin to be installed).

http://crash-stats.mozilla.com/report/index/b3f0ea72-3146-45f1-8ce1-4d2b72081209?p=1

The stack in the crash report isn't very enlightening since the crash occurs in the unloaded plugin module.  Hopefully someone with a Windows debug build can help investigate here.

From the report:

-----
I've found that loading/unloading various Adobe objects using their mime type and an EMBED tag causes memory corruption in FireFox. Here are repro's for all mime types I've found to be affected:

http://skypher.com/SkyLined/Repro/COM/Object%20instantiation/EMBED%20type%20manual.html?application/pdf
http://skypher.com/SkyLined/Repro/COM/Object%20instantiation/EMBED%20type%20manual.html?application/vnd.adobe.xdp+xml
http://skypher.com/SkyLined/Repro/COM/Object%20instantiation/EMBED%20type%20manual.html?application/vnd.adobe.xfd+xml
http://skypher.com/SkyLined/Repro/COM/Object%20instantiation/EMBED%20type%20manual.html?application/vnd.adobe.xfdf
http://skypher.com/SkyLined/Repro/COM/Object%20instantiation/EMBED%20type%20manual.html?application/vnd.fdf

This does not appear to affect any other browser. However, when I load the repro in other browsers, I do hear an audio alert, after which it appears the object no longer loads in the browser. I believe that this is a bug as well, but it does not seem to have direct security implications.

A similar issue affects VLC player objects, for which I've sent a separate email to the appropriate people. This makes it more likely that the issue is in FireFox and not the Adobe objects.
-----
Related to bug 434593?
If the VLC player object is a problem without every having loaded PDFs, then it's not related to 434593 since that needs PDFs loaded to trigger.  Is there a separate bug for the VLC objects with more details?
The VLC issue is unrelated to the PDF issue in that you do not need one to trigger the bug in the other and vice versa. I thought it may be a similar flaw or even trigger the exact same flaw in FireFox code, which is why I mentioned it.

The most recent version of VLC fixes the issue there. Afaik, there is no bugzilla entry for that bug.
I can no longer connect to skypher.com to test this ("The server is taking too long to respond").  Is anyone else able to connect?
Odd - it is working fine for me...
Whiteboard: [sg:needinfo] can't repro?
Below is the code for the page in case you still can't connect to it. Save this to a HTML file and open it in FireFox. It is a generic test so you'll need to specify a mimetype to test in the URL. The original repro URLs I reported will tell you which mimetypes trigger the bug.

<BODY onload=go()></BODY> 
<SCRIPT> 
	var sMimeType = null, sHTML = null, iCounter = 100;
	if (location.search) {
		sMimeType = location.search.replace(/[\?\<\'\"]/g, "")
	}
	if (sMimeType) {
		sHTML = sMimeType + " <EMBED type='" + sMimeType + "'></EMBED>";
	} else {
		location = "?" + prompt("Mime type?", "");
	}
	function go() {
		if (sMimeType && iCounter > 0) {
			iCounter--;
			document.body.innerHTML = iCounter.toString() + 
			sHTML + sHTML + sHTML + sHTML + sHTML + sHTML;
			setTimeout(go, 0);
		} else if (sMimeType) {
			location.reload();
		}
	}
</SCRIPT>
I got these breakpad stacks when trying out the testcase:
http://crash-stats.mozilla.com/report/index/d55628cb-055d-4bfe-9446-547db2081215?p=1
0  	xul.dll  	XPC_WN_Equality  	 js/src/xpconnect/src/xpcwrappednativejsops.cpp:760
1 	xul.dll 	nsAttrValue::Reset 	
2 		@0x7ffdfbff

And:
http://crash-stats.mozilla.com/report/index/3da0e974-b37b-45c2-9413-242aa2081215?p=1
0  	 	@0x1  	
1 	user32.dll 	UserCallWinProcCheckWow 	
2 	user32.dll 	CallWindowProcAorW 	
3 	user32.dll 	CallWindowProcA 	
4 	nppdf32.dll 	nppdf32.dll@0x67af 	
5 	user32.dll 	InternalCallWinProc 	
6 	user32.dll 	UserCallWinProcCheckWow 	
7 	user32.dll 	DispatchClientMessage 	
8 	user32.dll 	__fnDWORD 	
9 	ntdll.dll 	KiUserCallbackDispatcher 	
10 	nppdf32.dll 	nppdf32.dll@0x66a5 	
11 	user32.dll 	DispatchMessageW 	
12 	xul.dll 	nsAppShell::ProcessNextNativeEvent 	widget/src/windows/nsAppShell.cpp:149
13 	winmm.dll 	timeGetTime
Summary: Investigate crash when loading/unloading Adobe objects through EMBED → Investigate crash [@ XPC_WN_Equality][@ UserCallWinProcCheckWow] when loading/unloading Adobe objects through EMBED
I get the second crash listed above, and that definitely the same cause as 434593.  I haven't been able to reproduce to get the first crash stack, but it's possible it's the same because it's jumping into arbitrary code.

If nobody objects, I'll mark this also as a duplicate of 434593.
I don't have access to 434593, so I can't help you make that decision.
This should be fixed with the new release of Reader/Acrobat 9.1.  If you do apply that patch, please verify that the nppdf32.dll in the plugins folder is patched; it should be, but we have some reports that sometimes it is not.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Group: core-security
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.