379648 - Illegal operation error and crash while viewing movie trailer [@ nsPluginDOMContextMenuListener::Destroy 6bfc2991]

Status: RESOLVED INCOMPLETE

(Core Graveyard :: Plug-ins, defect)

Description

[Marcia Knous [:marcia]]

Attachment: Dialog that comes up when site launches

Seen using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.4) Gecko/2007050106 Firefox/2.0.0.4.

STR:

1. Install the new quicktime plugin, QuickTime Plug-in 7.1.6.
2. Navigate to http://www.apple.com/trailers/fox/fantasticfourriseofthesilversurfer/. I receive the illegal operation dialog in screenshot. I am able to escape out. I then try to play the trailer, and kaboom ->crash. Talkback to follow.

Comment 1

[Carsten Book [:Tomcat]]

TB31781955Q

confirmed with the steps to reproduce from marcia and 2004 RC1 on Vista

Stack Signature	 nsPluginDOMContextMenuListener::Destroy 6bfc2991
Product ID	Firefox2
Build ID	2007050106
Trigger Time	2007-05-03 14:18:32.0
Platform	Win32
Operating System	Windows NT 6.0 build 6000
Module	firefox.exe + (002ed7fd)
URL visited	Bug 379648
User Comments	
Since Last Crash	23857 sec
Total Uptime	23857 sec
Trigger Reason	Access violation
Source File, Line No.	c:/builds/tinderbox/Fx-Mozilla1.8-release/WINNT_5.2_Depend/mozilla/layout/generic/nsObjectFrame.cpp, line 2266
Stack Trace 	
nsPluginDOMContextMenuListener::Destroy  [mozilla/layout/generic/nsObjectFrame.cpp, line 2266]
nsPluginInstanceOwner::Destroy  [mozilla/layout/generic/nsObjectFrame.cpp, line 3913]
nsObjectFrame::Destroy  [mozilla/layout/generic/nsObjectFrame.cpp, line 772]
nsLineBox::DeleteLineList  [mozilla/layout/generic/nsLineBox.cpp, line 325]
nsFrameList::DestroyFrames  [mozilla/layout/generic/nsFrameList.cpp, line 138]
nsLineBox::DeleteLineList  [mozilla/layout/generic/nsLineBox.cpp, line 325]
nsLineBox::DeleteLineList  [mozilla/layout/generic/nsLineBox.cpp, line 325]
nsFrameList::DestroyFrames  [mozilla/layout/generic/nsFrameList.cpp, line 138]
CanvasFrame::Destroy  [mozilla/layout/generic/nsHTMLFrame.cpp, line 230]
nsFrameList::DestroyFrames  [mozilla/layout/generic/nsFrameList.cpp, line 138]
nsHTMLScrollFrame::Destroy  [mozilla/layout/generic/nsGfxScrollFrame.cpp, line 172]
ViewportFrame::Destroy  [mozilla/layout/generic/nsViewportFrame.cpp, line 67]
DocumentViewerImpl::Hide  [mozilla/layout/base/nsDocumentViewer.cpp, line 2033]
nsDocShell::SetVisibility  [mozilla/docshell/base/nsDocShell.cpp, line 3782]
nsFrameList::DestroyFrames  [mozilla/layout/generic/nsFrameList.cpp, line 138]
nsBoxFrame::Destroy  [mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120]
nsBoxFrame::Destroy  [mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120]
nsBoxFrame::Destroy  [mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120]
nsBoxFrame::Destroy  [mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120]
nsBoxFrame::Destroy  [mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120]
nsBoxFrame::Destroy  [mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120]
nsBoxFrame::Destroy  [mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120]
nsBoxFrame::Destroy  [mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120]
nsBoxFrame::Destroy  [mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120]
nsBoxFrame::Destroy  [mozilla/layout/xul/base/src/nsBoxFrame.cpp, line 1120]
ViewportFrame::Destroy  [mozilla/layout/generic/nsViewportFrame.cpp, line 67]
DocumentViewerImpl::Destroy  [mozilla/layout/base/nsDocumentViewer.cpp, line 1555]
nsDocShell::Destroy  [mozilla/docshell/base/nsDocShell.cpp, line 3529]
nsXULWindow::Destroy  [mozilla/xpfe/appshell/src/nsXULWindow.cpp, line 514]
nsWebShellWindow::Destroy  [mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, line 850]
nsWebShellWindow::HandleEvent  [mozilla/xpfe/appshell/src/nsWebShellWindow.cpp, line 408]
nsWindow::DispatchEvent  [mozilla/widget/src/windows/nsWindow.cpp, line 1389]
nsWindow::DispatchStandardEvent  [mozilla/widget/src/windows/nsWindow.cpp, line 1429]
nsWindow::ProcessMessage  [mozilla/widget/src/windows/nsWindow.cpp, line 4584]
nsWindow::WindowProc  [mozilla/widget/src/windows/nsWindow.cpp, line 1577]
USER32.dll + 0x21a10 (0x77a51a10)
USER32.dll + 0x21ae8 (0x77a51ae8)
USER32.dll + 0x21c03 (0x77a51c03)
USER32.dll + 0x23656 (0x77a53656)
ntdll.dll + 0x60e6e (0x77950e6e)
USER32.dll + 0x21d87 (0x77a51d87)
uxtheme.dll + 0x789b (0x7525789b)
uxtheme.dll + 0x1f86a (0x7526f86a)
uxtheme.dll + 0x728c (0x7525728c)
uxtheme.dll + 0x1f61 (0x75251f61)
USER32.dll + 0x1a096 (0x77a4a096)
nsWindow::DefaultWindowProc  [mozilla/widget/src/windows/nsWindow.cpp, line 1603]
USER32.dll + 0x21a10 (0x77a51a10)
USER32.dll + 0x21ae8 (0x77a51ae8)
USER32.dll + 0x22d6e (0x77a52d6e)
USER32.dll + 0x22d14 (0x77a52d14)
nsWindow::WindowProc  [mozilla/widget/src/windows/nsWindow.cpp, line 1584]
USER32.dll + 0x21a10 (0x77a51a10)
USER32.dll + 0x23123 (0x77a53123)
USER32.dll + 0x22a47 (0x77a52a47)
USER32.dll + 0x22a98 (0x77a52a98)
nsAppShell::Run  [mozilla/widget/src/windows/nsAppShell.cpp, line 159]
nsAppStartup::Run  [mozilla/toolkit/components/startup/src/nsAppStartup.cpp, line 152]
main  [mozilla/browser/app/nsBrowserApp.cpp, line 61]
kernel32.dll + 0x43833 (0x77673833)
ntdll.dll + 0x3a9bd (0x7792a9bd)

Comment 2

[Marcia Knous [:marcia]]

I don't seem to crash running any of the other trailers on that site, using the same build and Vista.

Comment 3

[Carsten Book [:Tomcat]]

from the error console short before the crash:
Error: cyclic __proto__ value

also no crash on trunk build: : Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9a5pre) Gecko/2007050304 Minefield/3.0a5pre

Comment 4

[Marcia Knous [:marcia]]

Using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.3) Gecko/2007030919 Firefox/2.0.0.3, I still get the error message but no crash on the silver surfer trailer. It is interesting that clicking on the trailer launches a standalone window for the player. I noticed on the Intel Mac (2.0.0.4 pre build) that the trailer was contained within the browser window and not placed outside it.

Tomcat also mentioned that the silver surfer trailer plays fine on XP ->so far this seems to be a Win Vista issue of some sort.

Comment 5

[Henrik Skupin [:whimboo][⌚️UTC+2]]

Having a look at the stack trace shows that it crashes within a part which changed rigorously on trunk. Biesi, you created a patch on bug 322414 which modified the top frame. Do you have any idea?

Comment 6

[Marcia Knous [:marcia]]

Today I crashed when trying to watch the High band version of the Paprika trailer on the apple.com/trailers site. No talkback came up, it was a bit of a delayed crash.

Comment 7

[Daniel Veditz [:dveditz] out until Nov 10]

This crash could well be exploitable, and if a hacker could figure out what kind of video/page content causes this reliable it'd be easy to exploit.

Why would it only be Vista, though, if it's clearly crashing in our own not-Vista-specific code?

Does it crash on older versions of QuickTime, or just the latest?

Comment 8

[Marcia Knous [:marcia]]

Using Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.5pre) Gecko/2007061807 BonEcho/2.0.0.5pre  and the last version of Quicktime (QuickTime Plug-in 7.1.5), I don't get the crash. Using the same nightly with the 7.1.6 version causes a crash.

I also tested the same trailer on the latest nightly on the Mac with 7.1.6 quicktime, and there seems to be no problem there with any crashes.

(In reply to comment #7)
> This crash could well be exploitable, and if a hacker could figure out what
> kind of video/page content causes this reliable it'd be easy to exploit.
> 
> Why would it only be Vista, though, if it's clearly crashing in our own
> not-Vista-specific code?
> 
> Does it crash on older versions of QuickTime, or just the latest?
> 

Comment 9

[Daniel Veditz [:dveditz] out until Nov 10]

I don't think we have enough information to seriously block on this, unless it becomes a top-crash and we can justify pulling in folks off other bugs.