Closed
Bug 511767
Opened 15 years ago
Closed 11 years ago
Reproducible Crash in WMP? at [@ npdsplay@0x1e9a3 ] and [@strcasecmp_l ]
Categories
(Plugins Graveyard :: Windows Media Player (Microsoft), defect)
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: cbook, Unassigned)
References
()
Details
(Keywords: crash, sec-vector, Whiteboard: [sg:vector wmp])
Crash Data
Attachments
(1 file)
240.09 KB,
application/octet-stream
|
Details |
Steps to reproduce: Load : http://sites.google.com/site/mori79/html-gadgets/audio-players Crashes Windows, Mac 3.5 Builds. WMV Problem ? (79c.89c): Access violation - code c0000005 (!!! second chance !!!) eax=5f380753 ebx=04b8f508 ecx=06ec5eb8 edx=00000000 esi=5f37a7f1 edi=00000000 eip=5f34e9a3 esp=0012eb80 ebp=0012eb8c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 npdsplay!unuse_netscape_plugin_Plugin+0x88c3: 5f34e9a3 8a27 mov ah,byte ptr [edi] ds:0023:00000000=?? - Exploitability Classification: UNKNOWN Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at npdsplay!unuse_netscape_plugin_Plugin+0x00000000000088c3 (Hash=0x1d206756.0x7509283d) The data from the faulting address is later used to determine whether or not a branch is taken. ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0012eb8c 5f33d2e8 npdsplay!unuse_netscape_plugin_Plugin+0x88c3 0012ebb0 0042fdeb npdsplay!native_NPDS_npDSJavaPeer_StreamSelect+0x29f8 0012ebc4 0030e1cb nspr4!PR_GetThreadPrivate+0xb 0012ebec 071d9ae3 xpcom_core!NS_LogRelease_P+0x1b 0012ec10 0719ee5c gkplugin!nsPluginInstancePeerImpl::Release+0x93 0012ec20 071a1015 gkplugin!nsCOMPtr<nsIPluginInstancePeer>::~nsCOMPtr<nsIPluginInstancePeer>+0x3c 0012ec44 04b80001 gkplugin!nsCOMPtr<nsIPluginInstancePeer>::Assert_NoQueryNeeded+0x95 0012ec84 1021af95 0x4b80001 0012ecb8 10210004 MSVCR80D!malloc_dbg+0x455 0012ed14 071a660a MSVCR80D!_unDNameEx+0x6d04 0012ed20 071baae3 gkplugin!nsNPAPIPluginInstance::Initialize+0x3a 0012f12c 071b9f5a gkplugin!nsPluginHostImpl::TrySetUpPluginInstance+0x993 0012f184 071b8230 gkplugin!nsPluginHostImpl::SetUpPluginInstance+0x4a 0012f448 071b1c66 gkplugin!nsPluginHostImpl::InstantiateEmbeddedPlugin+0x950 0012f5e8 02d7167d gkplugin!nsPluginStreamListenerPeer::OnStartRequest+0x916 0012f78c 01386b9c gklayout!nsObjectLoadingContent::OnStartRequest+0xf4d 0012f7d4 01393606 necko!nsHttpChannel::CallOnStartRequest+0x2ec 0012f7e0 012e74b4 necko!nsHttpChannel::OnStartRequest+0x2d6 0012f808 012e7320 necko!nsInputStreamPump::OnStateStart+0xa4 0012f818 002e393a necko!nsInputStreamPump::OnInputStreamReady+0x70 quit:
Reporter | ||
Comment 1•15 years ago
|
||
saved copy of this site. Also Crash from local copy - all you need to do to crash is load the ifr.htm file --> crash
Comment 2•15 years ago
|
||
my (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.3pre) Gecko/20090811 Shiretoko/3.5.3pre stack with signature [@strcasecmp_l ] looks like http://crash-stats.mozilla.com/report/index/2509dc3c-33ee-4aaa-a43b-de5582090820?p=1 0 libSystem.B.dylib strcasecmp_l 1 libSystem.B.dylib strcasecmp 2 Flip4Mac WMV Plugin Flip4Mac WMV Plugin@0x5556 3 Flip4Mac WMV Plugin Flip4Mac WMV Plugin@0x56f1 4 Flip4Mac WMV Plugin Flip4Mac WMV Plugin@0x5d91 5 XUL nsNPAPIPluginInstance::InitializePlugin modules/plugin/base/src/nsNPAPIPluginInstance.cpp:1030 6 XUL nsPluginHostImpl::TrySetUpPluginInstance modules/plugin/base/src/nsPluginHostImpl.cpp:3872 7 XUL nsPluginHostImpl::SetUpPluginInstance modules/plugin/base/src/nsPluginHostImpl.cpp:3670 8 XUL nsPluginHostImpl::InstantiateEmbeddedPlugin modules/plugin/base/src/nsPluginHostImpl.cpp:3361 9 XUL nsPluginStreamListenerPeer::OnStartRequest modules/plugin/base/src/nsPluginHostImpl.cpp:2025 10 XUL nsObjectLoadingContent::OnStartRequest content/base/src/nsObjectLoadingContent.cpp:608 11 XUL NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179 12 XUL XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2454 13 XUL XPC_WN_CallMethod js/src/xpconnect/src/xpcwrappednativejsops.cpp:1590 14 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1386 15 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:5179 16 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1394 17 XUL nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697 18 XUL nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:569 19 XUL PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93 20 XUL PrepareAndDispatch 21 XUL nsHttpChannel::CallOnStartRequest netwerk/protocol/http/src/nsHttpChannel.cpp:846 22 XUL nsHttpChannel::OnStartRequest netwerk/protocol/http/src/nsHttpChannel.cpp:4897 23 XUL nsInputStreamPump::OnStateStart netwerk/base/src/nsInputStreamPump.cpp:439 24 XUL nsInputStreamPump::OnInputStreamReady netwerk/base/src/nsInputStreamPump.cpp:395 25 XUL nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:111 26 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:510 27 XUL NS_ProcessPendingEvents_P nsThreadUtils.cpp:180 28 XUL nsBaseAppShell::NativeEventCallback widget/src/xpwidgets/nsBaseAppShell.cpp:121 29 XUL nsAppShell::ProcessGeckoEvents widget/src/cocoa/nsAppShell.mm:405 30 CoreFoundation CFRunLoopRunSpecific 31 CoreFoundation CFRunLoopRunInMode 32 HIToolbox RunCurrentEventLoopInMode 33 HIToolbox ReceiveNextEventCommon 34 HIToolbox BlockUntilNextEventMatchingListInMode 35 AppKit _DPSNextEvent 36 AppKit -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 37 AppKit -[NSApplication run] 38 XUL nsAppShell::Run widget/src/cocoa/nsAppShell.mm:720 39 XUL nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:193 40 XUL XRE_main toolkit/xre/nsAppRunner.cpp:3321 41 firefox-bin main browser/app/nsBrowserApp.cpp:156 42 firefox-bin firefox-bin@0x1541 43 firefox-bin firefox-bin@0x1468 44 @0x2
Comment 3•15 years ago
|
||
windows stack signature [@npdsplay.dll@0x1e9a3 ] http://crash-stats.mozilla.com/report/index/263aaecf-e260-49d1-a21c-c48732090820?p=1 Frame Module Signature [Expand] Source 0 npdsplay.dll npdsplay.dll@0x1e9a3 1 npdsplay.dll npdsplay.dll@0xd2e7 on windows chrome seems immune to the crash. ie8 does too but that might be the result of the right content not getting loaded. I see lots of xml errors on the page after I got past the flash and wmp installation prompts seen after loading the page and getting plugin finder like dialogs.
Comment 4•15 years ago
|
||
yesterday we got 49 total crashes for npdsplay on 20090819-crashdata.csv 19 were start up crashes inside 3 minutes distribution of versions where the crash was found on 20090819-crashdata.csv 29 Firefox 3.0.13 7 Firefox 3.5.2 3 Firefox 3.0.6 2 Firefox 3.5 2 Firefox 3.0.4 2 Firefox 3.0.1 1 Firefox 3.0.8 1 Firefox 3.0.3 1 Firefox 3.0.12 1 Firefox 3.0.10 os breakdown 20 npdsplay.dll@0x1e9a3 Windows NT 5.1.2600 Service Pack 3 4 npdsplay.dll@0x17b34 Windows NT 5.1.2600 Service Pack 3 4 npdsplay.dll@0x10bdc Windows NT 5.1.2600 Service Pack 2 3 npdsplay.dll@0x1e8b3 Windows NT 5.1.2600 Service Pack 2 2 npdsplay.dll@0x2a417 Windows NT 5.1.2600 Service Pack 2 1 npdsplay.dll@0x31410 Windows NT 5.1.2600 Service Pack 2 1 npdsplay.dll@0x31064 Windows NT 5.1.2600 Service Pack 2 1 npdsplay.dll@0x2ae13 Windows NT 5.1.2600 Service Pack 3 1 npdsplay.dll@0x2ad15 Windows NT 5.1.2600 Service Pack 3 1 npdsplay.dll@0x2a3fc Windows NT 5.1.2600 Service Pack 2 1 npdsplay.dll@0x2a3fb Windows NT 5.1.2600 Service Pack 3 1 npdsplay.dll@0x2a3f7 Windows NT 5.1.2600 Service Pack 3 1 npdsplay.dll@0x2a3b8 Windows NT 5.1.2600 Service Pack 3 1 npdsplay.dll@0x29539 Windows NT 5.1.2600 Dodatek Service Pack 2 1 npdsplay.dll@0x29519 Windows NT 5.1.2600 Szervizcsomag 3 1 npdsplay.dll@0x29519 Windows NT 5.1.2600 Service Pack 2 1 npdsplay.dll@0x294a4 Windows NT 5.1.2600 Service Pack 3 1 npdsplay.dll@0x1ed3d Windows NT 5.1.2600 Service Pack 1 1 npdsplay.dll@0x179f4 Windows NT 5.1.2600 1 npdsplay.dll@0x10bdc Windows NT 5.1.2600 Service Pack 3 1 npdsplay.dll@0x107cb Windows NT 5.1.2600 Service Pack 3
Updated•15 years ago
|
Summary: Data from Faulting Address controls Branch Selection starting at npdsplay!unuse_netscape_plugin_Plugin+0x00000000000088c3 → Crash [@ npdsplay !unuse_netscape_plugin_Plugin+0x00000000000088c3] and [@strcasecmp_l ]
Updated•15 years ago
|
Summary: Crash [@ npdsplay !unuse_netscape_plugin_Plugin+0x00000000000088c3] and [@strcasecmp_l ] → Reproducable Crash in WMP? at [@ npdsplay@0x1e9a3 ] and [@strcasecmp_l ]
Comment 6•15 years ago
|
||
looking at a sample of 100 npdisplay.dll crashes from yesterday I can see that same variety of stack signatures but is islotated to a few versions of the .dll it looks like the majority of these crashes match the stack signature listed here so there are possibily more sites like this and in bug 512387 that can crash firefox in the same way, or we are seeing the many people hitting the same few sites. 40 npdsplay.dll@0x1e9a3 3.0.2.629 7 npdsplay.dll@0x1ee53 3.0.2.629 6 npdsplay.dll@0x3b368 3.0.2.629 2 npdsplay.dll@0x29519 3.0.2.629 2 npdsplay.dll@0x2380c 3.0.2.629 1 npdsplay.dll@0x31038 3.0.2.629 1 npdsplay.dll@0x30fa9 3.0.2.629 1 npdsplay.dll@0x2a3f7 3.0.2.629 1 npdsplay.dll@0x2a3b3 3.0.2.629 1 npdsplay.dll@0x295f1 3.0.2.629 1 npdsplay.dll@0x294b4 3.0.2.629 1 npdsplay.dll@0x294af 3.0.2.629 1 npdsplay.dll@0x2389d 3.0.2.629 1 npdsplay.dll@0x17b34 3.0.2.629 3 npdsplay.dll@0x1e8b3 3.0.2.628 1 npdsplay.dll@0x31738 3.0.2.628 1 npdsplay.dll@0x2a417 3.0.2.628 1 npdsplay.dll@0x17b44 3.0.2.628 1 npdsplay.dll@0x29539 3.0.2.628 1 npdsplay.dll@0x1ed63 3.0.2.628 1 npdsplay.dll@0x1ec4d 3.0.2.628 1 npdsplay.dll@0x1e763 3.0.2.627 1 npdsplay.dll@0x2a2b8 3.0.2.627 1 npdsplay.dll@0x29541 3.0.2.627
Updated•15 years ago
|
Whiteboard: [sg:vector wmp]
Reporter | ||
Comment 9•15 years ago
|
||
another steps to reproduce: -> http://crash-stats.mozilla.com/report/index/1eba16bd-8449-499f-b9c8-1ad882090924?p=1 3.0.14 -> http://crash-stats.mozilla.com/report/index/cb95e7d9-8d59-4b30-b94f-d22a82090924?p=1 3.5.3 while loading http://daksu20.com/ Chofmann, is this one of our topcrashes now ? I see this a lot in my testruns ?
Component: Plug-ins → Windows Media Player (Microsoft)
Product: Core → Plugins
QA Contact: plugins → microsoft-wmp
Summary: Reproducable Crash in WMP? at [@ npdsplay@0x1e9a3 ] and [@strcasecmp_l ] → Reproducible Crash in WMP? at [@ npdsplay@0x1e9a3 ] and [@strcasecmp_l ]
Version: 1.9.1 Branch → 3.x
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ npdsplay@0x1e9a3 ]
[@strcasecmp_l ]
Crash Signature: [@ npdsplay@0x1e9a3 ]
[@strcasecmp_l ] → [@ npdsplay@0x1e9a3 ]
[@strcasecmp_l ]
Comment 10•12 years ago
|
||
Andy - do you have any information about this (probably old) crash?
Comment 11•12 years ago
|
||
What is the link that causes the crash?
Updated•12 years ago
|
Keywords: sec-vector
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INCOMPLETE
Updated•10 years ago
|
Group: core-security
Assignee | ||
Updated•8 years ago
|
Product: Plugins → Plugins Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•