Closed Bug 494714 Opened 16 years ago Closed 15 years ago

Read Access Violation near NULL starting at NPSWF32+0xa0977 | Crash [@ NPSWF32.dll@0xa17be] | Crash [@ Flash Player@0x1202f1]

Categories

(External Software Affecting Firefox Graveyard :: Flash (Adobe), defect)

defect
Not set
critical

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: cbook, Assigned: pbetlem)

References

()

Details

(Keywords: crash, Whiteboard: [sg:vector dos (Flash)] Fixed: Flash: WIN 10,1,53,7)

Crash Data

Steps to reproduce: -> Load http://flashcrash.dempsky.org/ --> Crashes Firefox 1.9.0/1.9.1 and trunk with the latest flash plugin (940.914): Access violation - code c0000005 (!!! second chance !!!) eax=0a8bd190 ebx=00000000 ecx=00000000 edx=0a500200 esi=00000000 edi=0a99a100 eip=0a110977 esp=0012f4c4 ebp=0012f52c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00240246 NPSWF32+0xa0977: 0a110977 8b869c000000 mov eax,dword ptr [esi+9Ch] ds:0023:0000009c=???????? Exploitability Classification: PROBABLY_NOT_EXPLOITABLE Recommended Bug Title: Read Access Violation near NULL starting at NPSWF32+0xa0977 (Hash=0x77414308.0x34414308) This is a user mode read access violation near null, and is probably not exploitable. ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0012f52c 00000000 NPSWF32+0xa0977
stack on OS X 10.5; en-US; rv:1.9.1b5pre) Gecko/20090520 Shiretoko/3.5b5pre 0 Flash Player Flash Player@0x11eca1 1 Flash Player Flash Player@0x186ce8 2 Flash Player Flash Player@0x185b22 3 Flash Player Flash Player@0x25c668 4 Flash Player Flash_EnforceLocalSecurity 5 XUL nsNPAPIPluginStreamListener::OnDataAvailable modules/plugin/base/src/nsNPAPIPluginInstance.cpp:532 6 XUL nsPluginStreamListenerPeer::OnDataAvailable modules/plugin/base/src/nsPluginHostImpl.cpp:2168 7 XUL nsStreamListenerTee::OnDataAvailable netwerk/base/src/nsStreamListenerTee.cpp:97 8 XUL nsHttpChannel::OnDataAvailable netwerk/protocol/http/src/nsHttpChannel.cpp:5063 9 XUL nsInputStreamPump::OnStateTransfer netwerk/base/src/nsInputStreamPump.cpp:508 10 XUL nsInputStreamPump::OnInputStreamReady netwerk/base/src/nsInputStreamPump.cpp:398 11 XUL nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:111 12 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:510 13 XUL NS_ProcessPendingEvents_P nsThreadUtils.cpp:180 14 XUL nsBaseAppShell::NativeEventCallback widget/src/xpwidgets/nsBaseAppShell.cpp:121 15 XUL nsAppShell::ProcessGeckoEvents widget/src/cocoa/nsAppShell.mm:405 16 CoreFoundation CFRunLoopRunSpecific 17 CoreFoundation CFRunLoopRunInMode 18 HIToolbox RunCurrentEventLoopInMode 19 HIToolbox ReceiveNextEventCommon 20 HIToolbox BlockUntilNextEventMatchingListInMode 21 AppKit _DPSNextEvent 22 AppKit -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 23 AppKit -[NSApplication run] 24 XUL nsAppShell::Run widget/src/cocoa/nsAppShell.mm:716 25 XUL nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:193 26 XUL XRE_main toolkit/xre/nsAppRunner.cpp:3298 27 firefox-bin main browser/app/nsBrowserApp.cpp:156 28 firefox-bin firefox-bin@0x1541 29 firefox-bin firefox-bin@0x1468 30 @0x2
If this is a flash bug and doesn't look exploitable do we want to continue to track this or just close the bug?
Keywords: testcase-wanted
Whiteboard: [sg:vector dos (Flash)]
This is the same as bug 500574. Let's dupe there.
No fix with Flash Update to 10,0,32,18 Yielding a crash on comment #0's URL on load in 1.9.1.2 and trunk Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090804 Minefield/3.6a1pre http://crash-stats.mozilla.com/report/index/ba06c263-c411-474f-9df9-cc3652090804?p=1 same stack
how does this look against Flash Player 10.0.42.34?
This is public, no purpose in hiding it. http://flashcrash.dempsky.org/ (will crash if you have flash enabled). Ditto http://www.securityfocus.com/archive/1/archive/1/496929/100/0/threaded with 10.0.45.2 Mac bp-528dda94-ab7d-45e0-ade7-24c8a2100220 0 Flash Player Flash Player@0x1202f1 1 Flash Player Flash Player@0x18880a 2 Flash Player Flash Player@0x187692 3 Flash Player Flash Player@0x25f148 4 Flash Player Flash Player@0x2ef207 Win2K3 Thread 0 (crashed) 0 NPSWF32.dll + 0xa17be eip = 0x052d17be esp = 0x0012f2c4 ebp = 0x0012f32c ebx = 0x00000000 esi = 0x00000000 edi = 0x057262b8 eax = 0x05911190 ecx = 0x00000000 edx = 0x05701400 efl = 0x00010246 Found by: given as instruction pointer in context 1 0x0 eip = 0x00000001 esp = 0x0012f334 ebp = 0x0018a11c Found by: previous frame's frame pointer 2 NPSWF32.dll + 0xeaf5 eip = 0x0523eaf6 esp = 0x0012f33c ebp = 0x0018a11c Found by: stack scanning 3 NPSWF32.dll + 0xeb1f eip = 0x0523eb20 esp = 0x0012f34c ebp = 0x0018a11c Found by: stack scanning 4 NPSWF32.dll + 0x232650 eip = 0x05462651 esp = 0x0012f354 ebp = 0x0018a11c Found by: stack scanning 5 nspr4.dll!PR_GetCurrentThread [prcthr.c : 174 + 0x4] eip = 0x008e95d6 esp = 0x0012f384 ebp = 0x0018a11c Found by: stack scanning 6 NPSWF32.dll + 0x232650 eip = 0x05462651 esp = 0x0012f390 ebp = 0x0012f398 Found by: stack scanning 7 0x12f423 eip = 0x0012f424 esp = 0x0012f3a0 ebp = 0x00000000 Found by: previous frame's frame pointer 8 NPSWF32.dll + 0xd4e45 eip = 0x05304e46 esp = 0x0012f3a4 ebp = 0x00000000 Found by: stack scanning 9 nspr4.dll!dtoa [prdtoa.c : 2823 + 0x1] eip = 0x008d597a esp = 0x0012f3c4 ebp = 0x00000000 Found by: stack scanning
Group: core-security
Summary: Read Access Violation near NULL starting at NPSWF32+0xa0977 → Read Access Violation near NULL starting at NPSWF32+0xa0977 | Crash [@ NPSWF32.dll@0xa17be] | Crash [@ Flash Player@0x1202f1]
Component: Plug-ins → Flash (Adobe)
Product: Core → Plugins
QA Contact: plugins → adobe-flash
Version: Trunk → unspecified
This bug can be closed as fixed. It was fixed in Beta 1 of Flash Player 10.1. Installing the shipping candidate from here will demonstrate the fix: http://labs.adobe.com/downloads/flashplayer10.html
Assignee: nobody → pbetlem
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: [sg:vector dos (Flash)] → [sg:vector dos (Flash)] Fixed: Flash: WIN 10,1,53,7
Crash Signature: [@ NPSWF32.dll@0xa17be] [@ Flash Player@0x1202f1]
Product: External Software Affecting Firefox → External Software Affecting Firefox Graveyard
You need to log in before you can comment on or make changes to this bug.