Closed Bug 480863 Opened 16 years ago Closed 15 years ago

Crash [@plds4.dll:PL_HashTableRawLookup]

Categories

(Core :: Audio/Video, defect)

defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 481921

People

(Reporter: pvnick, Unassigned)

References

Details

(Keywords: crash, qawanted, testcase, Whiteboard: [sg:dupe 481921])

Crash Data

Attachments

(3 files, 2 obsolete files)

Attached video Corrupted file
A bug exists that can be triggered when loading a malformed Theora video file. Here's the last couple of lines to be executed: length += length + 1; 00570032 mov edx,dword ptr [length] 00570035 mov eax,dword ptr [length] 00570038 lea ecx,[eax+edx+1] 0057003C mov dword ptr [length],ecx JS_ARENA_GROW_CAST(base, jschar *, pool, tbsize, tbsize); 0057003F mov edx,dword ptr [pool] 00570042 mov eax,dword ptr [edx+10h] 00570045 mov dword ptr [_a],eax 00570048 mov ecx,dword ptr [pool] 0057004B mov edx,dword ptr [tbsize] 0057004E db 03h 0057004F push ecx I don't think this is exploitable, but 0x0057 0x004f are the letters WO, so I'm wondering if eip is controllable. If it is, then this bug is exploitable. Would someone have a look at it?
Attached file Stack trace (obsolete) —
Blocks: fuzz-JSFF
Attached file Testcase (obsolete) —
Attached file Testcase
I used the wrong testcase format. Here's the right one.
Attachment #364823 - Attachment is obsolete: true
Attached file Updated stack trace
I think this should be a more-accurate stack trace. I'll change the bug title to reflect the top-most function.
Attachment #364821 - Attachment is obsolete: true
Btw, the stack likes to change around, so someone please look at this and diagnose the problem. The title and currently-uploaded stack reflects the crash that occured closest to the point at which I open the testcase and press crash.
Summary: Crash [@js3250.dll!GrowTokenBuf] → Crash [@plds4.dll:PL_HashTableRawLookup]
I debugged it and I can see the same problem as in bug 481921. With that fix applied, I can't reproduce the crash and 'valgrind' is silent. (Firefox trunk on Linux x86_64)
Depends on: 481921
Keywords: crash
OS: Windows XP → All
Hardware: x86 → All
qawanted: please verify that this bug is actually fixed by bug 481921
Keywords: qawanted, testcase
Whiteboard: [sg:dupe 481921]
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Group: core-security
Crash Signature: [@plds4.dll:PL_HashTableRawLookup]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: