Closed
Bug 480863
Opened 16 years ago
Closed 15 years ago
Crash [@plds4.dll:PL_HashTableRawLookup]
Categories
(Core :: Audio/Video, defect)
Core
Audio/Video
Tracking
()
RESOLVED
DUPLICATE
of bug 481921
People
(Reporter: pvnick, Unassigned)
References
Details
(Keywords: crash, qawanted, testcase, Whiteboard: [sg:dupe 481921])
Crash Data
Attachments
(3 files, 2 obsolete files)
A bug exists that can be triggered when loading a malformed Theora video file. Here's the last couple of lines to be executed:
length += length + 1;
00570032 mov edx,dword ptr [length]
00570035 mov eax,dword ptr [length]
00570038 lea ecx,[eax+edx+1]
0057003C mov dword ptr [length],ecx
JS_ARENA_GROW_CAST(base, jschar *, pool, tbsize, tbsize);
0057003F mov edx,dword ptr [pool]
00570042 mov eax,dword ptr [edx+10h]
00570045 mov dword ptr [_a],eax
00570048 mov ecx,dword ptr [pool]
0057004B mov edx,dword ptr [tbsize]
0057004E db 03h
0057004F push ecx
I don't think this is exploitable, but 0x0057 0x004f are the letters WO, so I'm wondering if eip is controllable. If it is, then this bug is exploitable. Would someone have a look at it?
Reporter | ||
Comment 1•16 years ago
|
||
Reporter | ||
Comment 2•16 years ago
|
||
Reporter | ||
Comment 3•16 years ago
|
||
I used the wrong testcase format. Here's the right one.
Attachment #364823 -
Attachment is obsolete: true
Reporter | ||
Comment 4•16 years ago
|
||
I think this should be a more-accurate stack trace. I'll change the bug title to reflect the top-most function.
Attachment #364821 -
Attachment is obsolete: true
Reporter | ||
Comment 5•16 years ago
|
||
Btw, the stack likes to change around, so someone please look at this and diagnose the problem. The title and currently-uploaded stack reflects the crash that occured closest to the point at which I open the testcase and press crash.
Summary: Crash [@js3250.dll!GrowTokenBuf] → Crash [@plds4.dll:PL_HashTableRawLookup]
Comment 6•16 years ago
|
||
I debugged it and I can see the same problem as in bug 481921.
With that fix applied, I can't reproduce the crash and 'valgrind' is silent.
(Firefox trunk on Linux x86_64)
Comment 7•16 years ago
|
||
qawanted: please verify that this bug is actually fixed by bug 481921
Reporter | ||
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Updated•15 years ago
|
Group: core-security
Assignee | ||
Updated•14 years ago
|
Crash Signature: [@plds4.dll:PL_HashTableRawLookup]
You need to log in
before you can comment on or make changes to this bug.
Description
•