Crash when streaming mjpegs are stopped at the server side and then restarted.

RESOLVED DUPLICATE of bug 443714

Status

()

Core
ImageLib
--
critical
RESOLVED DUPLICATE of bug 443714
10 years ago
9 years ago

People

(Reporter: zakalwe, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.0.1) Gecko/2008071815 (Gentoo) Firefox/3.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.0.1) Gecko/2008071815 (Gentoo) Firefox/3.0.1

Using zoneminder I can consistantly crash firefox with evidence of memory corruption. Specifically:

PAX: execution attempt in: <NULL>, 00000000-00000000 00000000
PAX: terminating task: /usr/lib64/mozilla-firefox/firefox(firefox):23224, uid/euid: 1000/1000, PC: 0000000000000131, SP: 00007694c3aab5d8
PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 
PAX: bytes at SP-8:



Reproducible: Always

Steps to Reproduce:
1) Open up zoneminder in a tab and open one of the streaming camera views.

2) Close all the zoneminder tabs

3) Stop zoneminder on the server

4) Start zoneminder on the server

5) Firefox Crashes.
Actual Results:  
PAX: execution attempt in: <NULL>, 00000000-00000000 00000000
PAX: terminating task: /usr/lib64/mozilla-firefox/firefox(firefox):23224, uid/euid: 1000/1000, PC: 0000000000000131, SP: 00007694c3aab5d8
PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 
PAX: bytes at SP-8:

Expected Results:  
I expect the mjpeg streams to be closed when the tabs have been closed, but I believe there is another open bug for this problem.  Other than that, I expect firefox not to crash.

I am not entirely sure this is exploitable or not because I do not really have the time to debug it and work out if any of the memory corruption can be controlled by the attacker.  But I'm going to err on the side of caution and mark this as a security bug so that you can determine that.
(Reporter)

Comment 1

10 years ago
Created attachment 330288 [details]
Stacktrace in gdb of the crash

I couldn't get this to crash with debugging options turned on in the configure, but I hope the above is useful.
Whiteboard: [sg:investigate]
Component: General → ImageLib
Product: Firefox → Core
QA Contact: general → imagelib
Group: core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:investigate]
Duplicate of bug: 443714
You need to log in before you can comment on or make changes to this bug.