Closed Bug 432397 Opened 16 years ago Closed 15 years ago

[RealPlayer] Crash [@ JS_ClearScope] [@ XPCWrappedNative::GetNewOrUsed] [@ nsRuleNode::Transition]

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: MatsPalmgren_bugz, Unassigned)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [sg:critical?])

Crash Data

[RealPlayer] Crash [@ JS_ClearScope] [@ XPCWrappedNative::GetNewOrUsed] [@ nsRuleNode::Transition].

Possibly related to bug 432223.

STEPS TO REPRODUCE
1. load http://www.musicindiaonline.com/music/ut/s/hindi_bollywood/100/
2. click on a song title (the link to the right of a checkbox)
3. a popup window opens for a few seconds saying "Detecting Configuration..."
   or something of that nature then crashes.

I think these two are clean abort()s from 'std::bad_alloc':
bp-5e7645d9-1b31-11dd-89c4-0013211cbf8a
bp-84e212ae-1b33-11dd-94ba-001cc45a2c28

Here are a few which are not so clean:
bp-f39ca25e-1b36-11dd-a68c-001cc45a2ce4
bp-540b9df3-1b37-11dd-bb87-001cc45a2c28
bp-681672c5-1b37-11dd-8b0e-001cc45a2c28

PLATFORMS AND BUILDS TESTED
Bug occurs in Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9pre) Gecko/2008050504 Minefield/3.0pre, with plugin:
Helix DNA Plugin: RealPlayer G2 Plug-In Compatible version 0.4.0.626 built with gcc 3.2.0 on Jul 26 2007

In the console window I see, in some cases:

playeripc: Got command SetWindow 0 25169707 0 17 1 1 0 0 1 1 1
read: Bad address
terminate called after throwing an instance of 'std::bad_alloc'

in other cases:

read: Bad address
** (crashreporter:27974): CRITICAL **: ORBit_demarshal_object: assertion `orb != CORBA_OBJECT_NIL' failed
(realplay.bin:28042): Gdk-WARNING **: GdkWindow 0x3a0001a unexpectedly destroyed
** (realplay.bin:28042): WARNING **: g_io_channel_read_chars: Connection reset by peer
*** glibc detected *** /usr/local/RealPlayer/realplay.bin: double free or corruption (out): 0x08139a60 ***


or, third case:

playeripc: Got command SetWindow 0 25167917 0 17 1 1 0 0 1 1 1
read: Bad address
Shutting down with plugins still existing
** (realplay.bin:28412): WARNING **: g_io_channel_read_chars: Connection reset by peer
*** glibc detected *** /usr/local/RealPlayer/realplay.bin: munmap_chunk(): invalid pointer: 0x081316a0 ***
Whiteboard: [sg:critical?]
WFM on windows trunk.
Mats, are you still seeing this?  If so, please nominate for blocking1.9.1, because a security bug you discovered while browsing the web is likely to be discovered by someone else as well.
It works for me on trunk, 3.2a1pre 20090109 i686 Linux.  I got I few:
(realplay.bin:18637): Gtk-CRITICAL **: gtk_widget_destroy: assertion `GTK_IS_WIDGET (widget)' failed
but AFAIK it doesn't imply a security problem.

It also works for me with 3.0.6pre 2009011504 i686 Linux, but the plugin
does not start playing the music when I click a new link (as with the
trunk build) - I have to manually click the play button in the plugin
for it to start.

I'm now using:
Helix DNA Plugin: RealPlayer G2 Plug-In Compatible version 0.4.0.4005 built with gcc 3.4.3 on Feb 25 2008

and the RealPlayer README file says:  RealPlayer 11.0.0.4028 for Linux

I can't reproduce any of the bad "glibc detected" messages above so
I'm guessing the newer RealPlayer version might have fixed it...
or something could have changed at the site.
Also WFM with "Gecko/20090123 Shiretoko/3.1b3pre"
Depends on: 444749
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
Crash Signature: [@ JS_ClearScope] [@ XPCWrappedNative::GetNewOrUsed] [@ nsRuleNode::Transition]
Group: core-security → core-security-release
Group: core-security-release
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.