Closed Bug 480863 Opened 11 years ago Closed 10 years ago

Crash [@plds4.dll:PL_HashTableRawLookup]

Categories

(Core :: Audio/Video, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 481921

People

(Reporter: pvnick, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, qawanted, testcase, Whiteboard: [sg:dupe 481921])

Crash Data

Attachments

(3 files, 2 obsolete files)

Attached video Corrupted file
A bug exists that can be triggered when loading a malformed Theora video file. Here's the last couple of lines to be executed:

            length += length + 1;
00570032  mov         edx,dword ptr [length] 
00570035  mov         eax,dword ptr [length] 
00570038  lea         ecx,[eax+edx+1] 
0057003C  mov         dword ptr [length],ecx 
            JS_ARENA_GROW_CAST(base, jschar *, pool, tbsize, tbsize);
0057003F  mov         edx,dword ptr [pool] 
00570042  mov         eax,dword ptr [edx+10h] 
00570045  mov         dword ptr [_a],eax 
00570048  mov         ecx,dword ptr [pool] 
0057004B  mov         edx,dword ptr [tbsize] 
0057004E  db          03h  
0057004F  push        ecx  

I don't think this is exploitable, but 0x0057 0x004f are the letters WO, so I'm wondering if eip is controllable. If it is, then this bug is exploitable. Would someone have a look at it?
Attached file Stack trace (obsolete) —
Blocks: 413380
Attached file Testcase (obsolete) —
Attached file Testcase
I used the wrong testcase format. Here's the right one.
Attachment #364823 - Attachment is obsolete: true
Attached file Updated stack trace
I think this should be a more-accurate stack trace. I'll change the bug title to reflect the top-most function.
Attachment #364821 - Attachment is obsolete: true
Btw, the stack likes to change around, so someone please look at this and diagnose the problem. The title and currently-uploaded stack reflects the crash that occured closest to the point at which I open the testcase and press crash.
Summary: Crash [@js3250.dll!GrowTokenBuf] → Crash [@plds4.dll:PL_HashTableRawLookup]
I debugged it and I can see the same problem as in bug 481921.
With that fix applied, I can't reproduce the crash and 'valgrind' is silent.
(Firefox trunk on Linux x86_64)
Depends on: 481921
Keywords: crash
OS: Windows XP → All
Hardware: x86 → All
qawanted: please verify that this bug is actually fixed by bug 481921
Keywords: qawanted, testcase
Whiteboard: [sg:dupe 481921]
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 481921
Group: core-security
Crash Signature: [@plds4.dll:PL_HashTableRawLookup]
You need to log in before you can comment on or make changes to this bug.