Firefox crashes if 2 tabs or 2 windows are rendering this URL with Java3D plugin in it

RESOLVED INCOMPLETE

Status

()

defect
--
critical
RESOLVED INCOMPLETE
13 years ago
11 years ago

People

(Reporter: jonks2003, Unassigned)

Tracking

({crash})

1.5.0.x Branch
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

Browse to http://www.downloadjava3d.com/java3dtest.php.
Open a new tab, in that tab browse to http://www.downloadjava3d.com/java3dtest.php.

All Firefox instances crash.




Reproducible: Always

Steps to Reproduce:
You need Java installed.
Java 1.4.2 or 1.5.x will do. it happens with either.
You also need the "Java 3D" plugin. Available from the site in question http://www.downloadjava3d.com, or directly from the "java3d project" pages.
1.3.2 OR 1.4 will do (the crash happens with either)
Browse to http://www.downloadjava3d.com/java3dtest.php.
Open a new tab, in that tab browse to http://www.downloadjava3d.com/java3dtest.php.

OR

Repeat, but this time open the URL in different windows.


Actual Results:  
_All_ instances of Firefox on the desktop crash.


Expected Results:  
Should render a 3d applet in both windows, or render successfully in the first and fail gracefully in the second.

I think this is a critical bug because this could be used maliciously in 'tiny' applets to crash all instances of Firefox that are running.

I'm not yet sure if this bug could be exploited to run arbitrary code.
I will attach a stack trace and any dump files that I can.
(Reporter)

Comment 1

13 years ago
I'm not sure if having 2 applets on a single page will cause the crash too.
I can set up a test page if you like.

Obviously a malicious site could display a 1x1 pixel applet on page 'A' with a link to page 'B' which also has a 1x1 pixel applet. If page 'B' opens in a new window (or tab) then Firefox will crash.

Not yet a real seacurity threat, more of an extreme annoyance.
Where is the crash? It might be in Firefox but it seems more likely to be in the required 3D plugin software that's installed. If you've installed Firefox with the quality reporting tool that would let us know. (I'm not personally likely to install random 3rd party software to test this until I can get back to a box running VMWare so providing a talkback trace would speed things up.)
Group: security
Keywords: crash
(Reporter)

Comment 3

13 years ago
couldn't get the talkback tool to catch this one, but a stack trace was dumped to the installation dir. I assume thats the one you want (attached).

Looks like it is a crash in te plugin. I'll raise it with the j3d project.
(Reporter)

Comment 4

13 years ago
Posted file stack trace
Tried to attach this once already, but it didn't look like it worked.
Sorry if this is a dupe.

Updated

13 years ago
Summary: Firefox crashes if 2 tabs or 2 windows are rendering this URL. → Firefox crashes if 2 tabs or 2 windows are rendering this URL with Java3D plugin in it
(Reporter)

Comment 5

13 years ago
Annecdotal evidence is that crash is GPU HW/driver depedent.
Queried 4 people. Crash so far only occurs on Via/S3G chipset. Doesn't occur on higher spec GPU. So hopefully low frequency problem.

Updated

13 years ago
Blocks: 353557

Updated

13 years ago
No longer blocks: 353557
reporter, Do you still see this problem. If you do not, please close the bug with resolution WORKSFORME, INVALID, etc as may be appropriate to your situation (but not FIXED unless you know the bug with the patch). 

If you still see problem using a current version of Firefox or trunk build, please provide additional detail.
Whiteboard: closeme 2008-12-10
@Reporter, we have not heard back from you in a while, so I am closing this bug as INCOMPLETE. You can reopen this bug if more information becomes available. Some helpful information you can provide us is found at http://quality.mozilla.org/bug-writing-guidelines.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → INCOMPLETE
Whiteboard: closeme 2008-12-10
Version: unspecified → 1.5.0.x Branch
You need to log in before you can comment on or make changes to this bug.