Closed
Bug 290974
Opened 19 years ago
Closed 19 years ago
malformed favicon can trigger crash
Categories
(Firefox :: Bookmarks & History, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 245631
People
(Reporter: rkramer, Unassigned)
References
()
Details
(Keywords: crash, crashreportid, Whiteboard: dupe of bug 245631)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050317 Firefox/1.0.2 A custom designed favicon that is not a valid image can be used as a remote exploit to have firefox run custom code. This was discovered inadvertantly with a corrupted favicon, and a small proof of concept has been started. Reproducible: Always Steps to Reproduce: 1. put invalid favicon on webserver 2. EVERY page on that site will crash firefox and expose the exploit 3. Actual Results: fatal error in firefox Expected Results: handled the favicon as any regular invalid image
|
||
Comment 1•19 years ago
|
||
TB5204658Y with yesterday's nightly build. This is pretty fun.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.4?
Keywords: crash,
talkbackid
Summary: Favicon remote exploit → malformed favicon can trigger crash
|
||
Comment 2•19 years ago
|
||
I can't get a crash at the URL linked above. The talkback stack pointed at msvcrt called by nsICODecoder::ProcessData() line 409 -- that'd be the memcpy(). Unfortunately talkback didn't capture the stack data so I can't see what the variables hold, but this very well could be an instance of bug 245631. Someone who can see the favicon would have to check on that.
Whiteboard: dupe of bug 245631?
|
||
Comment 3•19 years ago
|
||
if not fixed by bug 245631, we'll want to investigate on it's own.
Flags: blocking-aviary1.0.5? → blocking-aviary1.0.5+
|
|
||
Comment 4•19 years ago
|
||
This crashes 1.0.4 but is fixed by the branch landing of bug 245631: confirming dupe. Also fixed on trunk. *** This bug has been marked as a duplicate of 245631 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Whiteboard: dupe of bug 245631? → dupe of bug 245631
|
|
||
Updated•19 years ago
|
Flags: blocking-aviary1.1-
Flags: blocking-aviary1.1+
Flags: blocking-aviary1.0.5-
Flags: blocking-aviary1.0.5+
|
|
||
Comment 5•19 years ago
|
||
Removing blocking minus, we didn't reject this problem, it's just a duplicate
Flags: blocking-aviary1.1-
Flags: blocking-aviary1.0.5-
|
|
||
Updated•19 years ago
|
Group: security
Assignee: vladimir+bm → nobody
|
|
||
Comment 6•18 years ago
|
||
sorry for bugspam, long-overdue mass reassign of ancient QA contact bugs, filter on "beltznerLovesGoats" to get rid of this mass change
QA Contact: mconnor → bookmarks
You need to log in
before you can comment on or make changes to this bug.
Description
•