Closed Bug 480863 Opened 11 years ago Closed 10 years ago
.dll:PL _Hash Table Raw Lookup]
A bug exists that can be triggered when loading a malformed Theora video file. Here's the last couple of lines to be executed: length += length + 1; 00570032 mov edx,dword ptr [length] 00570035 mov eax,dword ptr [length] 00570038 lea ecx,[eax+edx+1] 0057003C mov dword ptr [length],ecx JS_ARENA_GROW_CAST(base, jschar *, pool, tbsize, tbsize); 0057003F mov edx,dword ptr [pool] 00570042 mov eax,dword ptr [edx+10h] 00570045 mov dword ptr [_a],eax 00570048 mov ecx,dword ptr [pool] 0057004B mov edx,dword ptr [tbsize] 0057004E db 03h 0057004F push ecx I don't think this is exploitable, but 0x0057 0x004f are the letters WO, so I'm wondering if eip is controllable. If it is, then this bug is exploitable. Would someone have a look at it?
I used the wrong testcase format. Here's the right one.
Attachment #364823 - Attachment is obsolete: true
I think this should be a more-accurate stack trace. I'll change the bug title to reflect the top-most function.
Attachment #364821 - Attachment is obsolete: true
Btw, the stack likes to change around, so someone please look at this and diagnose the problem. The title and currently-uploaded stack reflects the crash that occured closest to the point at which I open the testcase and press crash.
Summary: Crash [@js3250.dll!GrowTokenBuf] → Crash [@plds4.dll:PL_HashTableRawLookup]
I debugged it and I can see the same problem as in bug 481921. With that fix applied, I can't reproduce the crash and 'valgrind' is silent. (Firefox trunk on Linux x86_64)
qawanted: please verify that this bug is actually fixed by bug 481921
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 481921
Crash Signature: [@plds4.dll:PL_HashTableRawLookup]
You need to log in before you can comment on or make changes to this bug.