Data from Faulting Address controls Branch Selection starting at js3250!js_DeepBail+0xd1

RESOLVED DUPLICATE of bug 492487

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 492487
9 years ago
9 years ago

People

(Reporter: Tomcat, Unassigned)

Tracking

({crash})

1.9.1 Branch
x86
Windows XP
crash
Points:
---
Bug Flags:
wanted1.9.0.x -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 492487], URL)

(Reporter)

Description

9 years ago
Steps to reproduce:
-> Load http://search.yahoo.com/search?p=Driver+Training+%28Behind+the+Wheel%29+&fr=yfp-t-501&toggle=1&cop=mss&ei=UTF-8
--> Crash

Crashes 1.9.1 opt/debug builds Mozilla/5.0 (Windows; U; Windows NT 5.1;
en-US; rv:1.9.1b5pre) Gecko/20090515 Shiretoko/3.5b5pre - trunk seems fine.

Marking as security bug for now, because: Exploitability Classification: UNKNOWN

(f0c.8e4): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=0527d878 ecx=071d1d5c edx=00e72c50 esi=0012bb90 edi=00000026
eip=005e2ce1 esp=0012b85c ebp=0012b86c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

js3250!js_DeepBail+0xd1:
005e2ce1 83b80002000000  cmp     dword ptr [eax+200h],0 ds:0023:00000200=????????

ChildEBP RetAddr
0012b86c 004c3680 js3250!js_DeepBail+0xd1
0012b878 004c431c js3250!js_LeaveTrace+0x20
0012b884 004c42ad js3250!js_GetTopStackFrame+0xc
0012b894 004c4cec js3250!PopulateReportBlame+0xd
0012b8dc 004b414b js3250!js_ReportErrorNumberVA+0x4c
0012b908 0057c994 js3250!JS_ReportErrorFlagsAndNumberUC+0x2b
0012b928 0057da65 js3250!ReportRegExpErrorHelper+0x54
0012b948 0057d16e js3250!ProcessOp+0x245
0012b9a8 0057cc55 js3250!ParseRegExp+0x39e
0012b9c4 0057b6d7 js3250!CompileRegExpToAST+0x1c5
0012ba64 0057fb99 js3250!js_NewRegExp+0x47
0012baa4 00589d78 js3250!js_NewRegExpOpt+0x249
0012bb04 0058a74e js3250!regexp_compile_sub+0x4d8
0012bb40 05fb7eeb js3250!RegExp_tn2+0x7e
WARNING: Frame IP not in any known module. Following frames may be wrong.
0012bb84 7c91005d 0x5fb7eeb
0012e158 005ddfae ntdll!RtlFreeHeap+0x130
0012e1a4 0050cbb0 js3250!js_MonitorLoopEdge+0x2de
0012e860 00503cff js3250!js_Interpret+0x6810
0012e940 004f4e55 js3250!js_Invoke+0x99f
0012e978 0051658c js3250!js_fun_call+0x1b5
quit:
Flags: blocking1.9.1?

Comment 1

9 years ago
I don't get a crash with TM tip. Can anyone reproduce this?

Comment 2

9 years ago
I can on 1.9.1, but not tracemonkey on mac.

Comment 4

9 years ago
This is like a GC hazard in the native invocation path which was recently fixed.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 492487

Updated

9 years ago
Flags: blocking1.9.1?
Whiteboard: [sg:dupe 492487]
Group: core-security
Flags: wanted1.9.0.x-
You need to log in before you can comment on or make changes to this bug.