Closed Bug 426892 Opened 17 years ago Closed 17 years ago

"Data Execution Prevention" error when clicking reply in gmail

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 425499

People

(Reporter: ravenousbugblatterbeast, Unassigned)

Details

(Keywords: crash)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9b5) Gecko/2008032620 Firefox/3.0b5 Since upgrading from 3.0b4 to 3.0b5, approximately 50% of the time when I try and reply to a message Windows kills firefox.exe with the data execution prevention error. Showing details reveals the following: Problem signature: Problem Event Name: BEX Application Name: firefox.exe Application Version: 1.9.0.3007 Application Timestamp: 47eb31c2 Fault Module Name: StackHash_8d13 Fault Module Version: 0.0.0.0 Fault Module Timestamp: 00000000 Exception Offset: 20202020 Exception Code: c0000005 Exception Data: 00000008 OS Version: 6.0.6000.2.0.0.256.1 Locale ID: 2057 Additional Information 1: 8d13 Additional Information 2: cdca9b1d21d12b77d84f02df48e34311 Additional Information 3: 8d13 Additional Information 4: cdca9b1d21d12b77d84f02df48e34311 Reproducible: Sometimes Steps to Reproduce: 1. Login to gmail 2. Click on a message thread in inbox 3. Click the reply button at the bottom of the thread Actual Results: Windows kills the firefox process with the above error message Flagging it as a security issue as I don't know if it leads to a remotely exploitable stack overflow or not.
I have now repeated this on a new profile, and this time the Mozilla Crash Report kicked in instead of Windows handling it, so there should now be a crash dump available. In order to repeat the bug I had to install the Firebug 1.1.0b12 extension from www.getfirebug.com. In my original profile, I had followed google's advice about how to configure firebug not to slow down gmail. I did not change any firefox or firebug settings from their default on the new profile on which I repeated the bug. Although this is probably a bug in the extension, it should still be treated as a Firefox issue, as a pure javascript extension with no compiled code of its own shouldn't be able to cause a DEP error.
Keywords: crash
See also bug 426621 filed today. We need the crash id to tie a particular report to this bug. Please type "about:crashes" in the address bar (w/out the quotes) and hit return. Paste the crash-id into this bug (if you prepend "bp-" to the ID bugzilla will auto-link it to the crash-stats server). Being shut down by DEP is bad, it hints that the problem might be exploitable on a system without similar no-execute protection.
Keywords: crash
Whiteboard: [sg:needinfo]
Keywords: crash
Crash info: http://crash-stats.mozilla.com/report/index/2b0773ae-01d0-11dd-9cf9-001a4bd43ef6?date=2008-04-03-22 I also looked this on the firebug bug tracker here: http://code.google.com/p/fbug/issues/detail?id=578 I have found I can reliably repeat the problem every time as follows: 1. Install Firefox 3.0b5 2. Install Firebug 1.10b12 3. Visit http://portal.wecreatestuff.com/portal.php For me, it will crash as soon as the flash game file finishes downloading, but only when firebug is enabled.
One more thing that may or may not be relevant: I am running on a 64-bit version of Windows Vista.
I cannot repeat the error on http://portal.wecreatestuff.com/portal.php using the latest tinderbox build. Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9pre) Gecko/2008040412 Minefield/3.0pre ID:2008040412 I can reproduce it on Firefox 3.0b5 using firebug 1.20a12.
Based on this I suggest that this is a dup of Bug 425499
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Group: security
Whiteboard: [sg:needinfo]
You need to log in before you can comment on or make changes to this bug.