Closed
Bug 493240
Opened 15 years ago
Closed 15 years ago
crash in imglib [@imgRequestProxy::OnStopRequest]
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: cbook, Assigned: joe)
References
()
Details
(Keywords: crash, fixed1.9.1, regression, Whiteboard: [sg:critical] keep closed, see bug 508057 comment 23)
Crash Data
Attachments
(1 file)
|
607 bytes,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b5pre) Gecko/20090515 Shiretoko/3.5b5pre Steps to reproduce: -> Load http://www.soohie.com/robes-AAAC.html?& (you need to wait till the site is completly loaded) -> Crash Exploitability Classification: EXPLOITABLE (f0c.7c0): Access violation - code c0000005 (!!! second chance !!!) eax=69746163 ebx=7ffde000 ecx=07134f18 edx=029eaf10 esi=00ceaa80 edi=7c91005d eip=69746163 esp=0012f7f0 ebp=0012f888 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 69746163 ?? ??? 0:000> cdb: Reading initial command '!load winext\msec.dll;.logappend;!exploitable;k;q' Opened log file 'dbgeng.log' $ Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at Unknown Symbol @ 0x6d89c0006d89c (Hash=0x10107a1d.0x4216183b) Access violations at the instruction pointer are exploitable if not near NULL. ChildEBP RetAddr WARNING: Frame IP not in any known module. Following frames may be wrong. 0012f7ec 02986fdf 0x69746163 0012f888 0298bf9a imglib2!imgRequestProxy::OnStopRequest+0xdf 0012f8e0 0297dc22 imglib2!imgRequest::OnStopRequest+0x25a 0012f8fc 02ae1218 imglib2!ProxyListener::OnStopRequest+0x42 0012f91c 02b833c9 necko!nsStreamListenerTee::OnStopRequest+0xa8 0012f964 02ad796e necko!nsHttpChannel::OnStopRequest+0x3e9 0012f990 02ad7340 necko!nsInputStreamPump::OnStateStop+0xde 0012f9a0 002e2d8a necko!nsInputStreamPump::OnInputStreamReady+0x90 0012f9b4 00304d1a xpcom_core!nsInputStreamReadyEvent::Run+0x4a 0012f9f0 00296783 xpcom_core!nsThread::ProcessNextEvent+0x1fa 0012fa0c 0286f72d xpcom_core!NS_ProcessNextEvent_P+0x53 0012fa20 033f42db gkwidget!nsBaseAppShell::Run+0x5d 0012fa34 1000cfd7 tkitcmps!nsAppStartup::Run+0x6b 0012fed0 00401ac2 xul!XRE_main+0x2fb7 0012ff34 00401289 firefox!NS_internal_main+0x2b2 0012ff68 00402746 firefox!wmain+0x119 0012ffb8 0040259d firefox!__tmainCRTStartup+0x1a6 0012ffc0 7c817077 firefox!wmainCRTStartup+0xd 0012fff0 00000000 kernel32!RegisterWaitForInputIdle+0x49 quit:
Flags: blocking-firefox3.5?
|
Reporter | |
Updated•15 years ago
|
Whiteboard: [sg:critical]
|
||
Comment 1•15 years ago
|
||
crashes minefield/mac as well.
Component: General → ImageLib
Flags: blocking-firefox3.5?
OS: Windows XP → All
Product: Firefox → Core
QA Contact: general → imagelib
Version: 3.5 Branch → Trunk
|
|
||
Updated•15 years ago
|
Flags: blocking1.9.1?
|
||
Comment 2•15 years ago
|
||
crash on Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b5pre) Gecko/20090513 Shiretoko/3.5b5pre too, but no breakpad dialog
|
||
Comment 3•15 years ago
|
||
The EIP address where it crashes is actually the string "cati". FWIW, That string appears in the html input in 3 places, in these words: application, location, d'authentification
|
Assignee | |
Updated•15 years ago
|
Assignee: nobody → joe
Summary: Read Access Violation at the Instruction Pointer → crash in imglib [@imgRequestProxy::OnStopRequest]
|
||
Comment 4•15 years ago
|
||
Based on joe's valgrind output (http://pastebin.mozilla.org/650690), this is a regression from bug 393936. The Cancel call in nsBulletFrame::Destroy should be CancelAndForgetObserver.
Blocks: 393936
|
|
||
Comment 5•15 years ago
|
||
And we should presumably audit all imgIRequest::Cancel callers. I thought that got done in bug 393936... What's the remaining list?
|
|
Assignee | |
Comment 6•15 years ago
|
||
I repeatedly ask myself what I'd do without Boris. This is a no-brainer change that fixes this bug. Also, I further audited Gecko, and found no other users of imgIRequest::Cancel() that should use imgIRequest::CancelAndForgetObserver() instead.
Attachment #377829 -
Flags: superreview?(vladimir)
Attachment #377829 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 7•15 years ago
|
||
(However, a static analysis that shows me all callers of imgIRequest::Cancel() wouldn't go astray.)
|
|
||
Updated•15 years ago
|
Attachment #377829 -
Flags: superreview?(vladimir)
Attachment #377829 -
Flags: superreview+
Attachment #377829 -
Flags: review?(bzbarsky)
Attachment #377829 -
Flags: review+
|
|
||
Comment 8•15 years ago
|
||
Comment on attachment 377829 [details] [diff] [review] Use CancelAndForgetObserver in nsBulletFrame I can just r+sr this.
|
|
Assignee | |
Comment 9•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/3c30f6d52942
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Flags: blocking1.9.1? → blocking1.9.1+
|
|
Assignee | |
Comment 10•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/9d5583ee8f1d
Keywords: fixed1.9.1
|
|
||
Comment 11•15 years ago
|
||
> found no other users of imgIRequest::Cancel() that should use > imgIRequest::CancelAndForgetObserver() See bug 508057. :(
|
||
Updated•15 years ago
|
Keywords: regression
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical] → [sg:critical] keep closed, see bug 508057 comment 23
|
||
Updated•13 years ago
|
Crash Signature: [@imgRequestProxy::OnStopRequest]
|
|
Assignee | |
Comment 12•13 years ago
|
||
bug 508057 comment 24 seems to say that we don't need to keep this closed any more. Is that so?
|
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•