328998 - Firefox crashes if 2 tabs or 2 windows are rendering this URL with Java3D plugin in it

Status: RESOLVED INCOMPLETE

(Firefox :: General, defect)

Description

[Jon Seanor]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

Browse to http://www.downloadjava3d.com/java3dtest.php.
Open a new tab, in that tab browse to http://www.downloadjava3d.com/java3dtest.php.

All Firefox instances crash.




Reproducible: Always

Steps to Reproduce:
You need Java installed.
Java 1.4.2 or 1.5.x will do. it happens with either.
You also need the "Java 3D" plugin. Available from the site in question http://www.downloadjava3d.com, or directly from the "java3d project" pages.
1.3.2 OR 1.4 will do (the crash happens with either)
Browse to http://www.downloadjava3d.com/java3dtest.php.
Open a new tab, in that tab browse to http://www.downloadjava3d.com/java3dtest.php.

OR

Repeat, but this time open the URL in different windows.


Actual Results:  
_All_ instances of Firefox on the desktop crash.


Expected Results:  
Should render a 3d applet in both windows, or render successfully in the first and fail gracefully in the second.

I think this is a critical bug because this could be used maliciously in 'tiny' applets to crash all instances of Firefox that are running.

I'm not yet sure if this bug could be exploited to run arbitrary code.
I will attach a stack trace and any dump files that I can.

Comment 1

[Jon Seanor]

I'm not sure if having 2 applets on a single page will cause the crash too.
I can set up a test page if you like.

Obviously a malicious site could display a 1x1 pixel applet on page 'A' with a link to page 'B' which also has a 1x1 pixel applet. If page 'B' opens in a new window (or tab) then Firefox will crash.

Not yet a real seacurity threat, more of an extreme annoyance.

Comment 2

[Daniel Veditz [:dveditz]]

Where is the crash? It might be in Firefox but it seems more likely to be in the required 3D plugin software that's installed. If you've installed Firefox with the quality reporting tool that would let us know. (I'm not personally likely to install random 3rd party software to test this until I can get back to a box running VMWare so providing a talkback trace would speed things up.)

Comment 3

[Jon Seanor]

couldn't get the talkback tool to catch this one, but a stack trace was dumped to the installation dir. I assume thats the one you want (attached).

Looks like it is a crash in te plugin. I'll raise it with the j3d project.

Comment 4

[Jon Seanor]

Attachment: stack trace

Tried to attach this once already, but it didn't look like it worked.
Sorry if this is a dupe.

Comment 5

[Jon Seanor]

Annecdotal evidence is that crash is GPU HW/driver depedent.
Queried 4 people. Crash so far only occurs on Via/S3G chipset. Doesn't occur on higher spec GPU. So hopefully low frequency problem.

Comment 6

[Wayne Mery (:wsmwk)]

reporter, Do you still see this problem. If you do not, please close the bug with resolution WORKSFORME, INVALID, etc as may be appropriate to your situation (but not FIXED unless you know the bug with the patch). 

If you still see problem using a current version of Firefox or trunk build, please provide additional detail.

Comment 7

[Tyler Downer [He/Him]]

@Reporter, we have not heard back from you in a while, so I am closing this bug as INCOMPLETE. You can reopen this bug if more information becomes available. Some helpful information you can provide us is found at http://quality.mozilla.org/bug-writing-guidelines.