Investigate crash [@ XPC_WN_Equality][@ UserCallWinProcCheckWow] when loading/unloading Adobe objects through EMBED

RESOLVED FIXED

Status

()

Core
Plug-ins
RESOLVED FIXED
9 years ago
5 years ago

People

(Reporter: bsterne, Unassigned)

Tracking

1.9.0 Branch
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:needinfo] can't repro?, URL)

(Reporter)

Description

9 years ago
This issue was reported to the security@m.o. alias and I can confirm that it does produce a crash using Firefox 3.0.4 on Windows XP (it requires the Adobe Acrobat plugin to be installed).

http://crash-stats.mozilla.com/report/index/b3f0ea72-3146-45f1-8ce1-4d2b72081209?p=1

The stack in the crash report isn't very enlightening since the crash occurs in the unloaded plugin module.  Hopefully someone with a Windows debug build can help investigate here.

From the report:

-----
I've found that loading/unloading various Adobe objects using their mime type and an EMBED tag causes memory corruption in FireFox. Here are repro's for all mime types I've found to be affected:

http://skypher.com/SkyLined/Repro/COM/Object%20instantiation/EMBED%20type%20manual.html?application/pdf
http://skypher.com/SkyLined/Repro/COM/Object%20instantiation/EMBED%20type%20manual.html?application/vnd.adobe.xdp+xml
http://skypher.com/SkyLined/Repro/COM/Object%20instantiation/EMBED%20type%20manual.html?application/vnd.adobe.xfd+xml
http://skypher.com/SkyLined/Repro/COM/Object%20instantiation/EMBED%20type%20manual.html?application/vnd.adobe.xfdf
http://skypher.com/SkyLined/Repro/COM/Object%20instantiation/EMBED%20type%20manual.html?application/vnd.fdf

This does not appear to affect any other browser. However, when I load the repro in other browsers, I do hear an audio alert, after which it appears the object no longer loads in the browser. I believe that this is a bug as well, but it does not seem to have direct security implications.

A similar issue affects VLC player objects, for which I've sent a separate email to the appropriate people. This makes it more likely that the issue is in FireFox and not the Adobe objects.
-----
Related to bug 434593?

Comment 2

9 years ago
If the VLC player object is a problem without every having loaded PDFs, then it's not related to 434593 since that needs PDFs loaded to trigger.  Is there a separate bug for the VLC objects with more details?

Comment 3

9 years ago
The VLC issue is unrelated to the PDF issue in that you do not need one to trigger the bug in the other and vice versa. I thought it may be a similar flaw or even trigger the exact same flaw in FireFox code, which is why I mentioned it.

The most recent version of VLC fixes the issue there. Afaik, there is no bugzilla entry for that bug.

Comment 4

9 years ago
I can no longer connect to skypher.com to test this ("The server is taking too long to respond").  Is anyone else able to connect?

Comment 5

9 years ago
Odd - it is working fine for me...
Whiteboard: [sg:needinfo] can't repro?

Comment 6

9 years ago
Below is the code for the page in case you still can't connect to it. Save this to a HTML file and open it in FireFox. It is a generic test so you'll need to specify a mimetype to test in the URL. The original repro URLs I reported will tell you which mimetypes trigger the bug.

<BODY onload=go()></BODY> 
<SCRIPT> 
	var sMimeType = null, sHTML = null, iCounter = 100;
	if (location.search) {
		sMimeType = location.search.replace(/[\?\<\'\"]/g, "")
	}
	if (sMimeType) {
		sHTML = sMimeType + " <EMBED type='" + sMimeType + "'></EMBED>";
	} else {
		location = "?" + prompt("Mime type?", "");
	}
	function go() {
		if (sMimeType && iCounter > 0) {
			iCounter--;
			document.body.innerHTML = iCounter.toString() + 
			sHTML + sHTML + sHTML + sHTML + sHTML + sHTML;
			setTimeout(go, 0);
		} else if (sMimeType) {
			location.reload();
		}
	}
</SCRIPT>
I got these breakpad stacks when trying out the testcase:
http://crash-stats.mozilla.com/report/index/d55628cb-055d-4bfe-9446-547db2081215?p=1
0  	xul.dll  	XPC_WN_Equality  	 js/src/xpconnect/src/xpcwrappednativejsops.cpp:760
1 	xul.dll 	nsAttrValue::Reset 	
2 		@0x7ffdfbff

And:
http://crash-stats.mozilla.com/report/index/3da0e974-b37b-45c2-9413-242aa2081215?p=1
0  	 	@0x1  	
1 	user32.dll 	UserCallWinProcCheckWow 	
2 	user32.dll 	CallWindowProcAorW 	
3 	user32.dll 	CallWindowProcA 	
4 	nppdf32.dll 	nppdf32.dll@0x67af 	
5 	user32.dll 	InternalCallWinProc 	
6 	user32.dll 	UserCallWinProcCheckWow 	
7 	user32.dll 	DispatchClientMessage 	
8 	user32.dll 	__fnDWORD 	
9 	ntdll.dll 	KiUserCallbackDispatcher 	
10 	nppdf32.dll 	nppdf32.dll@0x66a5 	
11 	user32.dll 	DispatchMessageW 	
12 	xul.dll 	nsAppShell::ProcessNextNativeEvent 	widget/src/windows/nsAppShell.cpp:149
13 	winmm.dll 	timeGetTime
Summary: Investigate crash when loading/unloading Adobe objects through EMBED → Investigate crash [@ XPC_WN_Equality][@ UserCallWinProcCheckWow] when loading/unloading Adobe objects through EMBED

Comment 8

9 years ago
I get the second crash listed above, and that definitely the same cause as 434593.  I haven't been able to reproduce to get the first crash stack, but it's possible it's the same because it's jumping into arbitrary code.

If nobody objects, I'll mark this also as a duplicate of 434593.

Comment 9

9 years ago
I don't have access to 434593, so I can't help you make that decision.

Comment 10

9 years ago
This should be fixed with the new release of Reader/Acrobat 9.1.  If you do apply that patch, please verify that the nppdf32.dll in the plugins folder is patched; it should be, but we have some reports that sometimes it is not.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.