Closed
Bug 493240
Opened 16 years ago
Closed 16 years ago
crash in imglib [@imgRequestProxy::OnStopRequest]
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: cbook, Assigned: joe)
References
()
Details
(Keywords: crash, fixed1.9.1, regression, Whiteboard: [sg:critical] keep closed, see bug 508057 comment 23)
Crash Data
Attachments
(1 file)
|
607 bytes,
patch
|
bzbarsky
:
review+
bzbarsky
:
superreview+
|
Details | Diff | Splinter Review |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b5pre) Gecko/20090515 Shiretoko/3.5b5pre
Steps to reproduce:
-> Load http://www.soohie.com/robes-AAAC.html?& (you need to wait till the site is completly loaded)
-> Crash
Exploitability Classification: EXPLOITABLE
(f0c.7c0): Access violation - code c0000005 (!!! second chance !!!)
eax=69746163 ebx=7ffde000 ecx=07134f18 edx=029eaf10 esi=00ceaa80 edi=7c91005d
eip=69746163 esp=0012f7f0 ebp=0012f888 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
69746163 ?? ???
0:000> cdb: Reading initial command '!load winext\msec.dll;.logappend;!exploitable;k;q'
Opened log file 'dbgeng.log'
$ Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at Unknown Symbol @ 0x6d89c0006d89c (Hash=0x10107a1d.0x4216183b)
Access violations at the instruction pointer are exploitable if not near NULL.
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012f7ec 02986fdf 0x69746163
0012f888 0298bf9a imglib2!imgRequestProxy::OnStopRequest+0xdf
0012f8e0 0297dc22 imglib2!imgRequest::OnStopRequest+0x25a
0012f8fc 02ae1218 imglib2!ProxyListener::OnStopRequest+0x42
0012f91c 02b833c9 necko!nsStreamListenerTee::OnStopRequest+0xa8
0012f964 02ad796e necko!nsHttpChannel::OnStopRequest+0x3e9
0012f990 02ad7340 necko!nsInputStreamPump::OnStateStop+0xde
0012f9a0 002e2d8a necko!nsInputStreamPump::OnInputStreamReady+0x90
0012f9b4 00304d1a xpcom_core!nsInputStreamReadyEvent::Run+0x4a
0012f9f0 00296783 xpcom_core!nsThread::ProcessNextEvent+0x1fa
0012fa0c 0286f72d xpcom_core!NS_ProcessNextEvent_P+0x53
0012fa20 033f42db gkwidget!nsBaseAppShell::Run+0x5d
0012fa34 1000cfd7 tkitcmps!nsAppStartup::Run+0x6b
0012fed0 00401ac2 xul!XRE_main+0x2fb7
0012ff34 00401289 firefox!NS_internal_main+0x2b2
0012ff68 00402746 firefox!wmain+0x119
0012ffb8 0040259d firefox!__tmainCRTStartup+0x1a6
0012ffc0 7c817077 firefox!wmainCRTStartup+0xd
0012fff0 00000000 kernel32!RegisterWaitForInputIdle+0x49
quit:
Flags: blocking-firefox3.5?
|
Reporter | |
Updated•16 years ago
|
Whiteboard: [sg:critical]
|
||
Comment 1•16 years ago
|
||
crashes minefield/mac as well.
Component: General → ImageLib
Flags: blocking-firefox3.5?
OS: Windows XP → All
Product: Firefox → Core
QA Contact: general → imagelib
Version: 3.5 Branch → Trunk
|
|
||
Updated•16 years ago
|
Flags: blocking1.9.1?
|
||
Comment 2•16 years ago
|
||
crash on Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b5pre) Gecko/20090513 Shiretoko/3.5b5pre too, but no breakpad dialog
|
||
Comment 3•16 years ago
|
||
The EIP address where it crashes is actually the string "cati".
FWIW, That string appears in the html input in 3 places, in these words:
application, location, d'authentification
|
Assignee | |
Updated•16 years ago
|
Assignee: nobody → joe
Summary: Read Access Violation at the Instruction Pointer → crash in imglib [@imgRequestProxy::OnStopRequest]
|
||
Comment 4•16 years ago
|
||
Based on joe's valgrind output (http://pastebin.mozilla.org/650690), this is a regression from bug 393936. The Cancel call in nsBulletFrame::Destroy should be CancelAndForgetObserver.
Blocks: 393936
|
|
||
Comment 5•16 years ago
|
||
And we should presumably audit all imgIRequest::Cancel callers. I thought that got done in bug 393936... What's the remaining list?
|
|
Assignee | |
Comment 6•16 years ago
|
||
I repeatedly ask myself what I'd do without Boris.
This is a no-brainer change that fixes this bug. Also, I further audited Gecko, and found no other users of imgIRequest::Cancel() that should use imgIRequest::CancelAndForgetObserver() instead.
Attachment #377829 -
Flags: superreview?(vladimir)
Attachment #377829 -
Flags: review?(bzbarsky)
|
|
Assignee | |
Comment 7•16 years ago
|
||
(However, a static analysis that shows me all callers of imgIRequest::Cancel() wouldn't go astray.)
|
|
||
Updated•16 years ago
|
Attachment #377829 -
Flags: superreview?(vladimir)
Attachment #377829 -
Flags: superreview+
Attachment #377829 -
Flags: review?(bzbarsky)
Attachment #377829 -
Flags: review+
|
|
||
Comment 8•16 years ago
|
||
Comment on attachment 377829 [details] [diff] [review]
Use CancelAndForgetObserver in nsBulletFrame
I can just r+sr this.
|
|
Assignee | |
Comment 9•16 years ago
|
||
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Flags: blocking1.9.1? → blocking1.9.1+
|
|
Assignee | |
Comment 10•16 years ago
|
||
Keywords: fixed1.9.1
|
|
||
Comment 11•15 years ago
|
||
> found no other users of imgIRequest::Cancel() that should use
> imgIRequest::CancelAndForgetObserver()
See bug 508057. :(
|
||
Updated•15 years ago
|
Keywords: regression
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical] → [sg:critical] keep closed, see bug 508057 comment 23
|
||
Updated•13 years ago
|
Crash Signature: [@imgRequestProxy::OnStopRequest]
|
|
Assignee | |
Comment 12•13 years ago
|
||
bug 508057 comment 24 seems to say that we don't need to keep this closed any more. Is that so?
|
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•