Closed Bug 1504414 Opened 6 years ago Closed 6 years ago

Access violation while reading memory at 0x40 using a NULL pointer. firefox.exe!xul.dll

Categories

(Core :: Spelling checker, defect)

Product:
Core
Component:
Spelling checker
Version:
63 Branch
Platform:
x86_64
Windows 10
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1497480

People

(Reporter: b.kurinnoy, Unassigned)

References

Details

(Keywords: crash, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Crash Data

Attachments

(3 files)

info.rar
133.92 KB, application/x-rar
Details
crash.html
500.75 KB, text/html
Details
report.html
4.98 MB, text/html
Details
Attached file info.rar 
Vulnerability was detected by fuzzing. 
I used domato, BugId and some script.
Fuzzing was do on latest version of firefox (63.0.1) based on Windows 10 x64.

BugId identified this as problems as 
AVR@NULL+0x40 9ad.6e4 @ firefox.exe!xul.dll+0x405FDA2

BugId:           	AVR@NULL+0x40 9ad.6e4
Location:        	firefox.exe!xul.dll+0x405FDA2
Description:     	Access violation while reading memory at 0x40 using a NULL pointer.
Version:         	firefox.exe: 63.0.1.6877 (x64)
                        xul.dll: 63.0.1.6877 (x64)


Report of BugId and Proof_of_concept.html in rar archive (info.rar). info.rar are attached.
Flags: sec-bounty?
Severity: normal → critical
Keywords: crash, sec-high
OS: Unspecified → Windows 10
Priority: -- → P5
Hardware: Unspecified → Desktop
Version: unspecified → 63 Branch
Crash Signature: Access violation while reading memory at 0x40 using a NULL pointer. firefox.exe!xul.dll+0x405FDA2
Hardware: Desktop → x86_64
Attached file crash.html 
Flags: needinfo?(b.kurinnoy)

    
    

    
  

      
      
      
      

        Attached file
          
        report.html
      

    


  
Flags: needinfo?(b.kurinnoy)

    
    

    
  
Please don't alter the priority field or set security keywords yourself.
Keywords: sec-high
Priority: P5 → --

    
    

    
  
Does the crashreporter come up, and if so, can you link to a report corresponding to this crash? (you can find them in about:crashes )
Flags: needinfo?(b.kurinnoy)

    
    

    
  
(In reply to :Gijs (he/him) from comment #5)
> Does the crashreporter come up, and if so, can you link to a report
> corresponding to this crash? (you can find them in about:crashes )

Ok!) https://crash-stats.mozilla.com/report/index/9d5e5279-2526-4a7e-ad75-e63da0181103
Flags: needinfo?(b.kurinnoy)

    
    

    
  
The stack looks like bug 1446043 which is supposed to have been fixed by bug 1497480 on Firefox 65 and later. This also looks like a nullptr crash to me, so I think it isn't a security issue. Edgar, can you confirm?

Reporter, can you confirm if you can still reproduce the crash with a copy of Firefox Nightly? ( https://nightly.mozilla.org/ - you may want to use a separate/temp profile to test)
Group: firefox-core-security → dom-core-security
Component: Security → Spelling checker
Flags: needinfo?(echen)
Flags: needinfo?(b.kurinnoy)
Product: Firefox → Core

    
    

    
  
I can't reproduce this crash in firefox nightly 65.0a1.
Flags: needinfo?(b.kurinnoy)

    
    

    
  
Yes, it is a nullptr crash and has been fixed by bug 1497480.
Flags: needinfo?(echen)

    
  
Group: dom-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: