Closed
Bug 512387
Opened 15 years ago
Closed 11 years ago
Reproducible WMV crash [@ npdsplay.dll@0x1e9a3]
Categories
(Plugins Graveyard :: Windows Media Player (Microsoft), defect)
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: jbecerra, Unassigned)
References
()
Details
(Keywords: crash, sec-vector, Whiteboard: [sg:vector-dos wmp][crashkill outreach])
Crash Data
Attachments
(1 file)
34.84 KB,
application/java-archive
|
Details |
Load the url provided and crash. 1.9.0, 1.9.1, and 1.9.2 also crash. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20090819 Minefield/3.7a1pre (.NET CLR 3.5.30729) Flash Version: 10.0.32.18. (f90.78): Access violation - code c0000005 (!!! second chance !!!) eax=5f380753 ebx=06acc758 ecx=06acc6f8 edx=00000000 esi=5f37a7f1 edi=00000000 eip=5f34e9a3 esp=0012eba8 ebp=0012ebb4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Fil es\Windows Media Player\npdsplay.dll - npdsplay!unuse_netscape_plugin_Plugin+0x88c3: 5f34e9a3 8a27 mov ah,byte ptr [edi] ds:0023:00000000=?? 0:000> cdb: Reading initial command '!load winext\msec.dll;.logappend;!exploitable;k;q' Opened log file 'dbgeng.log' *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\sys tem32\ntdll.dll - *** WARNING: Unable to verify checksum for c:\projects\mozcentral\ffx-dbg\dist\bin\xpcom_c ore.dll *** WARNING: Unable to verify checksum for c:\projects\mozcentral\ffx-dbg\dist\bin\compone nts\gklayout.dll *** WARNING: Unable to verify checksum for c:\projects\mozcentral\ffx-dbg\dist\bin\compone nts\gkplugin.dll *** WARNING: Unable to verify checksum for c:\projects\mozcentral\ffx-dbg\dist\bin\compone nts\necko.dll *** WARNING: Unable to verify checksum for c:\projects\mozcentral\ffx-dbg\dist\bin\compone nts\gkwidget.dll *** WARNING: Unable to verify checksum for c:\projects\mozcentral\ffx-dbg\dist\bin\compone nts\tkitcmps.dll *** WARNING: Unable to verify checksum for c:\projects\mozcentral\ffx-dbg\dist\bin\xul.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\sys tem32\kernel32.dll - Exploitability Classification: UNKNOWN Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at np dsplay!unuse_netscape_plugin_Plugin+0x00000000000088c3 (Hash=0x7f271a42.0x5b12103c) The data from the faulting address is later used to determine whether or not a branch is t aken. ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0012ebb4 5f33d2e8 npdsplay!unuse_netscape_plugin_Plugin+0x88c3 0012ebd8 00449616 npdsplay!native_NPDS_npDSJavaPeer_StreamSelect+0x29f8 0012ebe0 0042fdfb nspr4!PR_GetCurrentThread+0x16 0012ebf4 0031514b nspr4!PR_GetThreadPrivate+0xb 0012ec1c 01ccb133 xpcom_core!NS_LogRelease_P+0x1b 0012ec34 0196acdc gklayout!nsHTMLDocument::Release+0x23 0012ec44 01a6a115 gklayout!nsCOMPtr<nsIDocument>::~nsCOMPtr<nsIDocument>+0x3c 0012ec64 06aa7548 gklayout!nsPluginInstanceOwner::GetMode+0x95 0012ec94 0042fdfb 0x6aa7548 0012eca8 0012eccc nspr4!PR_GetThreadPrivate+0xb 0012ed24 02865820 0x12eccc 0012ed2c 0287be1a gkplugin!nsNPAPIPluginInstance::Initialize+0x80 0012f050 0287b680 gkplugin!nsPluginHost::TrySetUpPluginInstance+0x5aa 0012f0a4 02879937 gkplugin!nsPluginHost::SetUpPluginInstance+0x40 0012f36c 02873a06 gkplugin!nsPluginHost::InstantiateEmbeddedPlugin+0x947 0012f510 021a10fa gkplugin!nsPluginStreamListenerPeer::OnStartRequest+0x916 0012f6ac 02c69d3c gklayout!nsObjectLoadingContent::OnStartRequest+0xeca 0012f6f8 02c6a9f9 necko!nsHttpChannel::CallOnStartRequest+0x2ec 0012f76c 02c6a4d2 necko!nsHttpChannel::ProcessNormal+0x239 0012f78c 02c77138 necko!nsHttpChannel::ProcessResponse+0x202 quit:
Comment 1•15 years ago
|
||
reproducible on Mac Product Firefox Version 3.5.3pre Build ID 20090821030839 http://crash-stats.mozilla.com/report/index/7094ff7d-876a-4fc7-9dc7-4b7ea2090824 0 libSystem.B.dylib strcasecmp_l 1 libSystem.B.dylib strcasecmp 2 Flip4Mac WMV Plugin Flip4Mac WMV Plugin@0x5556 3 Flip4Mac WMV Plugin Flip4Mac WMV Plugin@0x56f1 4 Flip4Mac WMV Plugin Flip4Mac WMV Plugin@0x5d91 5 XUL nsNPAPIPluginInstance::InitializePlugin modules/plugin/base/src/nsNPAPIPluginInstance.cpp:1030 6 XUL nsPluginHostImpl::TrySetUpPluginInstance modules/plugin/base/src/nsPluginHostImpl.cpp:3872 7 XUL nsPluginHostImpl::SetUpPluginInstance modules/plugin/base/src/nsPluginHostImpl.cpp:3670 8 XUL nsPluginHostImpl::InstantiateEmbeddedPlugin modules/plugin/base/src/nsPluginHostImpl.cpp:3361 9 XUL nsPluginStreamListenerPeer::OnStartRequest modules/plugin/base/src/nsPluginHostImpl.cpp:2025 10 XUL nsObjectLoadingContent::OnStartRequest content/base/src/nsObjectLoadingContent.cpp:608 11 XUL NS_InvokeByIndex_P xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179 12 XUL XPCWrappedNative::CallMethod js/src/xpconnect/src/xpcwrappednative.cpp:2454 13 XUL XPC_WN_CallMethod js/src/xpconnect/src/xpcwrappednativejsops.cpp:1590 14 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1386 15 libmozjs.dylib js_Interpret js/src/jsinterp.cpp:5179 16 libmozjs.dylib js_Invoke js/src/jsinterp.cpp:1394 17 XUL nsXPCWrappedJSClass::CallMethod js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697 18 XUL nsXPCWrappedJS::CallMethod js/src/xpconnect/src/xpcwrappedjs.cpp:569 19 XUL PrepareAndDispatch xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93 20 XUL PrepareAndDispatch 21 XUL nsHttpChannel::CallOnStartRequest netwerk/protocol/http/src/nsHttpChannel.cpp:846 22 XUL nsHttpChannel::ProcessNormal netwerk/protocol/http/src/nsHttpChannel.cpp:1128 23 XUL nsHttpChannel::ProcessResponse netwerk/protocol/http/src/nsHttpChannel.cpp:997 24 XUL nsHttpChannel::OnStartRequest netwerk/protocol/http/src/nsHttpChannel.cpp:4868 25 XUL nsInputStreamPump::OnStateStart netwerk/base/src/nsInputStreamPump.cpp:439 26 XUL nsInputStreamPump::OnInputStreamReady netwerk/base/src/nsInputStreamPump.cpp:395 27 XUL nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:111 28 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:510 29 XUL NS_ProcessPendingEvents_P nsThreadUtils.cpp:180 30 XUL nsBaseAppShell::NativeEventCallback widget/src/xpwidgets/nsBaseAppShell.cpp:121 31 XUL nsAppShell::ProcessGeckoEvents widget/src/cocoa/nsAppShell.mm:405 32 CoreFoundation CFRunLoopRunSpecific 33 CoreFoundation CFRunLoopRunInMode 34 HIToolbox RunCurrentEventLoopInMode 35 HIToolbox ReceiveNextEventCommon 36 HIToolbox BlockUntilNextEventMatchingListInMode 37 AppKit _DPSNextEvent 38 AppKit -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 39 AppKit -[NSApplication run] 40 XUL nsAppShell::Run widget/src/cocoa/nsAppShell.mm:720 41 XUL nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:193 42 XUL XRE_main toolkit/xre/nsAppRunner.cpp:3321 43 firefox-bin main browser/app/nsBrowserApp.cpp:156 44 firefox-bin firefox-bin@0x1541 45 firefox-bin firefox-bin@0x1468 46 @0x2
Summary: Data from Faulting Address controls Branch Selection starting at np dsplay!unuse_netscape_plugin_Plugin+0x00000000000088c3 (Hash=0x7f271a42.0x5b12103c) → reproducible crash np dsplay!unuse_netscape_plugin_Plugin+0x00000000000088c3 and [@strcasecmp_l ]
Comment 2•15 years ago
|
||
Firefox 3.5.2 Crash Report [@npdsplay.dll@0x1e9a3 ] Signature: npdsplay.dll@0x1e9a3 http://crash-stats.mozilla.com/report/index/10029468-b956-4c6e-8945-5fc362090824 I think these are dup signatures of stuff already on file
Summary: reproducible crash np dsplay!unuse_netscape_plugin_Plugin+0x00000000000088c3 and [@strcasecmp_l ] → reproducible crash [@npdsplay.dll@0x1e9a3 ] and [@strcasecmp_l ] np dsplay!unuse_netscape_plugin_Plugin+0x00000000000088c3
Comment 3•15 years ago
|
||
maybe bug 511767
Comment 4•15 years ago
|
||
Do we have contacts who work on Windows Media Player and Flip4Mac? We can't fix this bug ourselves.
Summary: reproducible crash [@npdsplay.dll@0x1e9a3 ] and [@strcasecmp_l ] np dsplay!unuse_netscape_plugin_Plugin+0x00000000000088c3 → Reproducible WMV crash [@ npdsplay.dll@0x1e9a3] and [@ strcasecmp_l] [@ Flip4Mac WMV Plugin@0x5556]
Comment 5•15 years ago
|
||
yeah, if we think there is possible security implication in their code beyond a DoS we should send a report from security@mozilla.org to security@microsoft.com. We should also do this also if we don't want to take the time, or can't, figure out the possible security implications. we could just send mail to Microsoft, ask for a cc mail address and give that bugzilla account access to the bug. it maybe harder to find something for flip. flip might license code from Microsoft so Microsoft might have contact. we could just try mail to security@theflip.com but I guess a smaller consumer product company like that my not have security@ set up. on http://www.theflip.com/privacy.shtml I see another possible e-mail 13. QUESTIONS OR COMMENTS If you have any questions, comments, or concerns relating to the Pure Digital Services or this privacy policy, please send an e-mail to privacy@puredigitalinc.com or write to us at: Pure Digital Technologies, Inc. Attn: Privacy Compliance Officer 30 Maiden Lane 6th Floor San Francisco, CA 94108 Sound like a plan? If this makes sense can dveditz, bsterne, reed, or other that has the mail cert send this mail?
Comment 6•15 years ago
|
||
the mail should also reference and grant access to bug 511767
Updated•15 years ago
|
Whiteboard: [sg:vector wmp]
Comment 7•15 years ago
|
||
The WMP crash in comment 0 is a null deref A crash in Flip4Mac should get its own bug, there's no relation between these two as far as I know. There's not enough information in comment 1 to say whether the Flip4Mac crash is a problem or not.
Whiteboard: [sg:vector wmp] → [sg:vector-dos wmp]
Updated•14 years ago
|
Whiteboard: [sg:vector-dos wmp] → [sg:vector-dos wmp][crashkill outreach]
Component: Plug-ins → Windows Media Player (Microsoft)
Product: Core → Plugins
QA Contact: plugins → microsoft-wmp
Version: Trunk → 3.x
I've filed bug 558772 for Flip4Mac
Summary: Reproducible WMV crash [@ npdsplay.dll@0x1e9a3] and [@ strcasecmp_l] [@ Flip4Mac WMV Plugin@0x5556] → Reproducible WMV crash [@ npdsplay.dll@0x1e9a3]
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ npdsplay.dll@0x1e9a3]
Updated•12 years ago
|
Keywords: sec-vector
Comment 9•11 years ago
|
||
Not going to track this further.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INCOMPLETE
Updated•10 years ago
|
Group: core-security
Assignee | ||
Updated•8 years ago
|
Product: Plugins → Plugins Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•