Closed Bug 511767 Opened 15 years ago Closed 11 years ago

Reproducible Crash in WMP? at [@ npdsplay@0x1e9a3 ] and [@strcasecmp_l ]

Categories

(Plugins Graveyard :: Windows Media Player (Microsoft), defect)

11.x
x86
All
defect
Not set
critical

Tracking

(Not tracked)

RESOLVED INCOMPLETE

People

(Reporter: cbook, Unassigned)

References

()

Details

(Keywords: crash, sec-vector, Whiteboard: [sg:vector wmp])

Crash Data

Attachments

(1 file)

Steps to reproduce:
Load : http://sites.google.com/site/mori79/html-gadgets/audio-players
Crashes Windows, Mac 3.5 Builds.

WMV Problem ? 

(79c.89c): Access violation - code c0000005 (!!! second chance !!!)
eax=5f380753 ebx=04b8f508 ecx=06ec5eb8 edx=00000000 esi=5f37a7f1 edi=00000000
eip=5f34e9a3 esp=0012eb80 ebp=0012eb8c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
npdsplay!unuse_netscape_plugin_Plugin+0x88c3:
5f34e9a3 8a27            mov     ah,byte ptr [edi]          ds:0023:00000000=??
 -
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at npdsplay!unuse_netscape_plugin_Plugin+0x00000000000088c3 (Hash=0x1d206756.0x7509283d)

The data from the faulting address is later used to determine whether or not a branch is taken.
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012eb8c 5f33d2e8 npdsplay!unuse_netscape_plugin_Plugin+0x88c3
0012ebb0 0042fdeb npdsplay!native_NPDS_npDSJavaPeer_StreamSelect+0x29f8
0012ebc4 0030e1cb nspr4!PR_GetThreadPrivate+0xb
0012ebec 071d9ae3 xpcom_core!NS_LogRelease_P+0x1b
0012ec10 0719ee5c gkplugin!nsPluginInstancePeerImpl::Release+0x93
0012ec20 071a1015 gkplugin!nsCOMPtr<nsIPluginInstancePeer>::~nsCOMPtr<nsIPluginInstancePeer>+0x3c
0012ec44 04b80001 gkplugin!nsCOMPtr<nsIPluginInstancePeer>::Assert_NoQueryNeeded+0x95
0012ec84 1021af95 0x4b80001
0012ecb8 10210004 MSVCR80D!malloc_dbg+0x455
0012ed14 071a660a MSVCR80D!_unDNameEx+0x6d04
0012ed20 071baae3 gkplugin!nsNPAPIPluginInstance::Initialize+0x3a
0012f12c 071b9f5a gkplugin!nsPluginHostImpl::TrySetUpPluginInstance+0x993
0012f184 071b8230 gkplugin!nsPluginHostImpl::SetUpPluginInstance+0x4a
0012f448 071b1c66 gkplugin!nsPluginHostImpl::InstantiateEmbeddedPlugin+0x950
0012f5e8 02d7167d gkplugin!nsPluginStreamListenerPeer::OnStartRequest+0x916
0012f78c 01386b9c gklayout!nsObjectLoadingContent::OnStartRequest+0xf4d
0012f7d4 01393606 necko!nsHttpChannel::CallOnStartRequest+0x2ec
0012f7e0 012e74b4 necko!nsHttpChannel::OnStartRequest+0x2d6
0012f808 012e7320 necko!nsInputStreamPump::OnStateStart+0xa4
0012f818 002e393a necko!nsInputStreamPump::OnInputStreamReady+0x70
quit:
Attached file saved html source
saved copy of this site. Also Crash from local copy - all you need to do to crash is load the ifr.htm file --> crash
my (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.3pre) Gecko/20090811 Shiretoko/3.5.3pre 

stack with signature  [@strcasecmp_l ] 

looks like  

http://crash-stats.mozilla.com/report/index/2509dc3c-33ee-4aaa-a43b-de5582090820?p=1


0  	libSystem.B.dylib  	strcasecmp_l  	
1 	libSystem.B.dylib 	strcasecmp 	
2 	Flip4Mac WMV Plugin 	Flip4Mac WMV Plugin@0x5556 	
3 	Flip4Mac WMV Plugin 	Flip4Mac WMV Plugin@0x56f1 	
4 	Flip4Mac WMV Plugin 	Flip4Mac WMV Plugin@0x5d91 	
5 	XUL 	nsNPAPIPluginInstance::InitializePlugin 	modules/plugin/base/src/nsNPAPIPluginInstance.cpp:1030
6 	XUL 	nsPluginHostImpl::TrySetUpPluginInstance 	modules/plugin/base/src/nsPluginHostImpl.cpp:3872
7 	XUL 	nsPluginHostImpl::SetUpPluginInstance 	modules/plugin/base/src/nsPluginHostImpl.cpp:3670
8 	XUL 	nsPluginHostImpl::InstantiateEmbeddedPlugin 	modules/plugin/base/src/nsPluginHostImpl.cpp:3361
9 	XUL 	nsPluginStreamListenerPeer::OnStartRequest 	modules/plugin/base/src/nsPluginHostImpl.cpp:2025
10 	XUL 	nsObjectLoadingContent::OnStartRequest 	content/base/src/nsObjectLoadingContent.cpp:608
11 	XUL 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179
12 	XUL 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:2454
13 	XUL 	XPC_WN_CallMethod 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1590
14 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1386
15 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:5179
16 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1394
17 	XUL 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697
18 	XUL 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:569
19 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
20 	XUL 	PrepareAndDispatch 	
21 	XUL 	nsHttpChannel::CallOnStartRequest 	netwerk/protocol/http/src/nsHttpChannel.cpp:846
22 	XUL 	nsHttpChannel::OnStartRequest 	netwerk/protocol/http/src/nsHttpChannel.cpp:4897
23 	XUL 	nsInputStreamPump::OnStateStart 	netwerk/base/src/nsInputStreamPump.cpp:439
24 	XUL 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:395
25 	XUL 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:111
26 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
27 	XUL 	NS_ProcessPendingEvents_P 	nsThreadUtils.cpp:180
28 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/src/xpwidgets/nsBaseAppShell.cpp:121
29 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/src/cocoa/nsAppShell.mm:405
30 	CoreFoundation 	CFRunLoopRunSpecific 	
31 	CoreFoundation 	CFRunLoopRunInMode 	
32 	HIToolbox 	RunCurrentEventLoopInMode 	
33 	HIToolbox 	ReceiveNextEventCommon 	
34 	HIToolbox 	BlockUntilNextEventMatchingListInMode 	
35 	AppKit 	_DPSNextEvent 	
36 	AppKit 	-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 	
37 	AppKit 	-[NSApplication run] 	
38 	XUL 	nsAppShell::Run 	widget/src/cocoa/nsAppShell.mm:720
39 	XUL 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
40 	XUL 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3321
41 	firefox-bin 	main 	browser/app/nsBrowserApp.cpp:156
42 	firefox-bin 	firefox-bin@0x1541 	
43 	firefox-bin 	firefox-bin@0x1468 	
44 		@0x2
windows stack

signature  [@npdsplay.dll@0x1e9a3 ]

http://crash-stats.mozilla.com/report/index/263aaecf-e260-49d1-a21c-c48732090820?p=1

Frame  	Module  	Signature [Expand]  	Source
0 	npdsplay.dll 	npdsplay.dll@0x1e9a3 	
1 	npdsplay.dll 	npdsplay.dll@0xd2e7 	


on windows chrome seems immune to the crash.

ie8 does too but that might be the result of the right content not getting loaded.  I see lots of xml errors on the page after I got past the flash and wmp installation prompts seen after loading the page and getting plugin finder like dialogs.
yesterday we got

49 total crashes for npdsplay on 20090819-crashdata.csv
19 were start up crashes inside 3 minutes

distribution of versions where the crash was found on 20090819-crashdata.csv
  29 Firefox 3.0.13
   7 Firefox 3.5.2
   3 Firefox 3.0.6
   2 Firefox 3.5
   2 Firefox 3.0.4
   2 Firefox 3.0.1
   1 Firefox 3.0.8
   1 Firefox 3.0.3
   1 Firefox 3.0.12
   1 Firefox 3.0.10

os breakdown
  20 npdsplay.dll@0x1e9a3 Windows NT 5.1.2600 Service Pack 3
   4 npdsplay.dll@0x17b34 Windows NT 5.1.2600 Service Pack 3
   4 npdsplay.dll@0x10bdc Windows NT 5.1.2600 Service Pack 2
   3 npdsplay.dll@0x1e8b3 Windows NT 5.1.2600 Service Pack 2
   2 npdsplay.dll@0x2a417 Windows NT 5.1.2600 Service Pack 2
   1 npdsplay.dll@0x31410 Windows NT 5.1.2600 Service Pack 2
   1 npdsplay.dll@0x31064 Windows NT 5.1.2600 Service Pack 2
   1 npdsplay.dll@0x2ae13 Windows NT 5.1.2600 Service Pack 3
   1 npdsplay.dll@0x2ad15 Windows NT 5.1.2600 Service Pack 3
   1 npdsplay.dll@0x2a3fc Windows NT 5.1.2600 Service Pack 2
   1 npdsplay.dll@0x2a3fb Windows NT 5.1.2600 Service Pack 3
   1 npdsplay.dll@0x2a3f7 Windows NT 5.1.2600 Service Pack 3
   1 npdsplay.dll@0x2a3b8 Windows NT 5.1.2600 Service Pack 3
   1 npdsplay.dll@0x29539 Windows NT 5.1.2600 Dodatek Service Pack 2
   1 npdsplay.dll@0x29519 Windows NT 5.1.2600 Szervizcsomag 3
   1 npdsplay.dll@0x29519 Windows NT 5.1.2600 Service Pack 2
   1 npdsplay.dll@0x294a4 Windows NT 5.1.2600 Service Pack 3
   1 npdsplay.dll@0x1ed3d Windows NT 5.1.2600 Service Pack 1
   1 npdsplay.dll@0x179f4 Windows NT 5.1.2600
   1 npdsplay.dll@0x10bdc Windows NT 5.1.2600 Service Pack 3
   1 npdsplay.dll@0x107cb Windows NT 5.1.2600 Service Pack 3
the windows system in comment 3 has WMP 11.0.5721.5268 installed.
Summary: Data from Faulting Address controls Branch Selection starting at npdsplay!unuse_netscape_plugin_Plugin+0x00000000000088c3 → Crash [@ npdsplay !unuse_netscape_plugin_Plugin+0x00000000000088c3] and [@strcasecmp_l ]
Summary: Crash [@ npdsplay !unuse_netscape_plugin_Plugin+0x00000000000088c3] and [@strcasecmp_l ] → Reproducable Crash in WMP? at [@ npdsplay@0x1e9a3 ] and [@strcasecmp_l ]
looking at a sample of 100 npdisplay.dll crashes from yesterday I can see that same variety of stack signatures but is islotated to a few versions of the .dll

it looks like the majority of these crashes match the stack signature listed here so there are possibily more sites like this and in bug 512387 that can crash firefox in the same way, or we are seeing the many people hitting the same few sites.

  40 npdsplay.dll@0x1e9a3 3.0.2.629
   7 npdsplay.dll@0x1ee53 3.0.2.629
   6 npdsplay.dll@0x3b368 3.0.2.629
   2 npdsplay.dll@0x29519 3.0.2.629
   2 npdsplay.dll@0x2380c 3.0.2.629
   1 npdsplay.dll@0x31038 3.0.2.629
   1 npdsplay.dll@0x30fa9 3.0.2.629
   1 npdsplay.dll@0x2a3f7 3.0.2.629
   1 npdsplay.dll@0x2a3b3 3.0.2.629
   1 npdsplay.dll@0x295f1 3.0.2.629
   1 npdsplay.dll@0x294b4 3.0.2.629
   1 npdsplay.dll@0x294af 3.0.2.629
   1 npdsplay.dll@0x2389d 3.0.2.629
   1 npdsplay.dll@0x17b34 3.0.2.629

   3 npdsplay.dll@0x1e8b3 3.0.2.628
   1 npdsplay.dll@0x31738 3.0.2.628
   1 npdsplay.dll@0x2a417 3.0.2.628
   1 npdsplay.dll@0x17b44 3.0.2.628
   1 npdsplay.dll@0x29539 3.0.2.628
   1 npdsplay.dll@0x1ed63 3.0.2.628
   1 npdsplay.dll@0x1ec4d 3.0.2.628

   1 npdsplay.dll@0x1e763 3.0.2.627
   1 npdsplay.dll@0x2a2b8 3.0.2.627
   1 npdsplay.dll@0x29541 3.0.2.627
Whiteboard: [sg:vector wmp]
another steps to reproduce: 

-> http://crash-stats.mozilla.com/report/index/1eba16bd-8449-499f-b9c8-1ad882090924?p=1 3.0.14

-> http://crash-stats.mozilla.com/report/index/cb95e7d9-8d59-4b30-b94f-d22a82090924?p=1 3.5.3 while loading http://daksu20.com/

Chofmann, is this one of our topcrashes now ? I see this a lot in my testruns ?
Component: Plug-ins → Windows Media Player (Microsoft)
Product: Core → Plugins
QA Contact: plugins → microsoft-wmp
Summary: Reproducable Crash in WMP? at [@ npdsplay@0x1e9a3 ] and [@strcasecmp_l ] → Reproducible Crash in WMP? at [@ npdsplay@0x1e9a3 ] and [@strcasecmp_l ]
Version: 1.9.1 Branch → 3.x
Version: 3.x → 11.x
Crash Signature: [@ npdsplay@0x1e9a3 ] [@strcasecmp_l ]
Crash Signature: [@ npdsplay@0x1e9a3 ] [@strcasecmp_l ] → [@ npdsplay@0x1e9a3 ] [@strcasecmp_l ]
Andy - do you have any information about this (probably old) crash?
What is the link that causes the crash?
Keywords: sec-vector
Keywords: sec-other
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INCOMPLETE
Group: core-security
Product: Plugins → Plugins Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: