193429 - A bug in a plug-in can crash browser.

Status: RESOLVED DUPLICATE of bug 156493

(Core Graveyard :: Plug-ins, defect)

Description

[John Malmberg]

User-Agent:       Mozilla/5.0 (X11; U; OpenVMS COMPAQ_AlphaServer_DS10_466_MHz; en-US; rv:1.3b) Gecko/20030207
Build Identifier: Mozilla/5.0 (X11; U; OpenVMS COMPAQ_AlphaServer_DS10_466_MHz; en-US; rv:1.3b) Gecko/20030207

A bug in a plug-in can crash the browser.

All calls to entry points to plug-ins should be set up to intercept errors and
terminate the plug-in function instead of allowing the entire browser to crash.

A diagnostic should be displayed when a plug-in hits a fatal error.

As part of the test procedure, a set of plug-ins, one for each entry point that
can be called should be made.  These plug-ins should make an illegal memory
access.  The browser should not crash.

There are many bug reports in Bugzilla about plug-in's crashing the browser, but
 the fixes seem to be concentrating on the specific plug-in, instead of fixing
the common vulnerability in the browser.


Reproducible: Sometimes

Steps to Reproduce:
1.Install a user written plug-in like the OpenVMS flash viewer.
2.Go to a page with flash (it may take a couple of tries to find one)
A current example is: http://www.adelphia-econnections.com/

3.

Actual Results:  
%SYSTEM-F-ACCVIO, access violation, reason mask=00, virtual address=000000000000
0000, PC=00000000065D8190, PS=0000001B
%TRACE-F-TRACEBACK, symbolic stack dump follows
  image    module    routine             line      rel PC           abs PC
 LIBFLASHPLUGIN  graphic  setMovieDimension
                                         8804 0000000000000560 00000000065D8190
 LIBFLASHPLUGIN  flash  FlashGraphicInit
                                         8845 000000000000046C 00000000065C45BC
 LIBFLASHPLUGIN  PLUGIN  FlashGraphicInitX11
                                        26593 0000000000001414 00000000065C3414
 LIBFLASHPLUGIN  PLUGIN  NPP_Write      26199 0000000000000B5C 00000000065C2B5C
 LIBFLASHPLUGIN  NPUNIX  Private_Write  11216 0000000000000744 00000000065C3C54
 LIBGKPLUGIN  NS4XPLUGININSTANCE  OnDataAvailable
                                        92161 0000000000000D8C 0000000002A9ED9C
 LIBGKPLUGIN  NSPLUGINHOSTIMPL  OnDataAvailable
                                       100121 000000000000A33C 0000000002AAB6AC
 LIBNECKO  NSHTTPCHANNEL  OnDataAvailable
                                        65972 000000000001246C 000000000111F79C
 LIBNECKO  NSINPUTSTREAMPUMP  OnStateTransfer
                                        43208 0000000000001A04 0000000001091E94
 LIBNECKO  NSINPUTSTREAMPUMP  OnInputStreamReady
                                        43123 00000000000016AC 0000000001091B3C
 LIBXPCOM  NSSTREAMUTILS  EventHandler  14163 000000000000034C 00000000009867AC
 LIBXPCOM  PLEVENT  PL_HandleEvent      41022 0000000000000E08 00000000009B5618
 LIBXPCOM  PLEVENT  PL_ProcessPendingEvents
                                        40952 0000000000000C3C 00000000009B544C
 LIBXPCOM  NSEVENTQUEUE  ProcessPendingEvents
                                        27060 0000000000001704 00000000009AC174
 LIBWIDGET_GTK  NSAPPSHELL  our_gdk_io_invoke
                                        71616 0000000000000544 0000000001FF4624
 LIBGLIB  GMAIN  g_main_dispatch        19265 0000000000000B80 0000000000181FD0
 LIBGLIB  GMAIN  g_main_iterate         19486 000000000000132C 000000000018277C
 LIBGLIB  GMAIN  g_main_run             19544 0000000000001548 0000000000182998
 LIBGTK  GTKMAIN  gtk_main              21888 0000000000000AD8 00000000003FFDE8
 LIBWIDGET_GTK  NSAPPSHELL  Run         71886 0000000000001414 0000000001FF54F4
 MOZILLA-BIN  NSAPPRUNNER  main1        84192 00000000000075A4 00000000000775A4
 MOZILLA-BIN  NSAPPRUNNER  main         84555 0000000000008218 0000000000078218
 MOZILLA-BIN  NSAPPRUNNER  __MAIN           0 00000000000000B8 00000000000700B8
 MOZILLA-BIN                                0 00000000000A2FF8 00000000000B2FF8
 PTHREAD$RTL                                0 000000000003E5B0 000000007BCFE5B0
 PTHREAD$RTL                                0 000000000001C31C 000000007BCDC31C
                                            0 FFFFFFFF8028563C FFFFFFFF8028563C


Expected Results:  
Mozilla should have posted a dialog box about the plug-in being terminated due
to errors.  It should also give the name of the function that it intercepted the
error on, and any other information it can determine about the error.

Even though this information is automatically captured by Bugzilla, If I do not
post this copy, someone always posts a request to have me enter it.

Mozilla 1.3b

Mozilla/5.0 (X11; U; OpenVMS COMPAQ_AlphaServer_DS10_466_MHz; en-US; rv:1.3b)
Gecko/20030207

Comment 1

[Matthias Versen [:Matti]]

*** This bug has been marked as a duplicate of 156493 ***