494714 - Read Access Violation near NULL starting at NPSWF32+0xa0977 | Crash [@ NPSWF32.dll@0xa17be] | Crash [@ Flash Player@0x1202f1]

Status: RESOLVED FIXED

Description

[Carsten Book [:Tomcat]]

Steps to reproduce:
-> Load http://flashcrash.dempsky.org/
--> Crashes Firefox 1.9.0/1.9.1 and trunk with the latest flash plugin

(940.914): Access violation - code c0000005 (!!! second chance !!!)
eax=0a8bd190 ebx=00000000 ecx=00000000 edx=0a500200 esi=00000000 edi=0a99a100
eip=0a110977 esp=0012f4c4 ebp=0012f52c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00240246
NPSWF32+0xa0977:
0a110977 8b869c000000    mov     eax,dword ptr [esi+9Ch] ds:0023:0000009c=????????
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at NPSWF32+0xa0977 (Hash=0x77414308.0x34414308)

This is a user mode read access violation near null, and is probably not exploitable.
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012f52c 00000000 NPSWF32+0xa0977

Comment 1

[chris hofmann]

stack on OS X 10.5; en-US; rv:1.9.1b5pre) Gecko/20090520 Shiretoko/3.5b5pre

0  	Flash Player  	Flash Player@0x11eca1  	
1 	Flash Player 	Flash Player@0x186ce8 	
2 	Flash Player 	Flash Player@0x185b22 	
3 	Flash Player 	Flash Player@0x25c668 	
4 	Flash Player 	Flash_EnforceLocalSecurity 	
5 	XUL 	nsNPAPIPluginStreamListener::OnDataAvailable 	modules/plugin/base/src/nsNPAPIPluginInstance.cpp:532
6 	XUL 	nsPluginStreamListenerPeer::OnDataAvailable 	modules/plugin/base/src/nsPluginHostImpl.cpp:2168
7 	XUL 	nsStreamListenerTee::OnDataAvailable 	netwerk/base/src/nsStreamListenerTee.cpp:97
8 	XUL 	nsHttpChannel::OnDataAvailable 	netwerk/protocol/http/src/nsHttpChannel.cpp:5063
9 	XUL 	nsInputStreamPump::OnStateTransfer 	netwerk/base/src/nsInputStreamPump.cpp:508
10 	XUL 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:398
11 	XUL 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:111
12 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
13 	XUL 	NS_ProcessPendingEvents_P 	nsThreadUtils.cpp:180
14 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/src/xpwidgets/nsBaseAppShell.cpp:121
15 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/src/cocoa/nsAppShell.mm:405
16 	CoreFoundation 	CFRunLoopRunSpecific 	
17 	CoreFoundation 	CFRunLoopRunInMode 	
18 	HIToolbox 	RunCurrentEventLoopInMode 	
19 	HIToolbox 	ReceiveNextEventCommon 	
20 	HIToolbox 	BlockUntilNextEventMatchingListInMode 	
21 	AppKit 	_DPSNextEvent 	
22 	AppKit 	-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 	
23 	AppKit 	-[NSApplication run] 	
24 	XUL 	nsAppShell::Run 	widget/src/cocoa/nsAppShell.mm:716
25 	XUL 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
26 	XUL 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3298
27 	firefox-bin 	main 	browser/app/nsBrowserApp.cpp:156
28 	firefox-bin 	firefox-bin@0x1541 	
29 	firefox-bin 	firefox-bin@0x1468 	
30 		@0x2

Comment 2

[Daniel Veditz [:dveditz]]

If this is a flash bug and doesn't look exploitable do we want to continue to track this or just close the bug?

Comment 3

[Bob Clary [:bc:]]

This is the same as bug 500574. Let's dupe there.

Comment 4

[Aaron Train [:aaronmt]]

No fix with Flash Update to 10,0,32,18

Yielding a crash on comment #0's URL on load in 1.9.1.2 and trunk

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090804 Minefield/3.6a1pre

http://crash-stats.mozilla.com/report/index/ba06c263-c411-474f-9df9-cc3652090804?p=1 same stack

Comment 5

[Charles]

how does this look against Flash Player 10.0.42.34?

Comment 6

[Bob Clary [:bc:]]

This is public, no purpose in hiding it. http://flashcrash.dempsky.org/ (will crash if you have flash enabled). Ditto http://www.securityfocus.com/archive/1/archive/1/496929/100/0/threaded

with 10.0.45.2

Mac bp-528dda94-ab7d-45e0-ade7-24c8a2100220

0  	Flash Player  	Flash Player@0x1202f1  	
1 	Flash Player 	Flash Player@0x18880a 	
2 	Flash Player 	Flash Player@0x187692 	
3 	Flash Player 	Flash Player@0x25f148 	
4 	Flash Player 	Flash Player@0x2ef207 	

Win2K3

Thread 0 (crashed)
 0  NPSWF32.dll + 0xa17be
    eip = 0x052d17be   esp = 0x0012f2c4   ebp = 0x0012f32c   ebx = 0x00000000
    esi = 0x00000000   edi = 0x057262b8   eax = 0x05911190   ecx = 0x00000000
    edx = 0x05701400   efl = 0x00010246
    Found by: given as instruction pointer in context
 1  0x0
    eip = 0x00000001   esp = 0x0012f334   ebp = 0x0018a11c
    Found by: previous frame's frame pointer
 2  NPSWF32.dll + 0xeaf5
    eip = 0x0523eaf6   esp = 0x0012f33c   ebp = 0x0018a11c
    Found by: stack scanning
 3  NPSWF32.dll + 0xeb1f
    eip = 0x0523eb20   esp = 0x0012f34c   ebp = 0x0018a11c
    Found by: stack scanning
 4  NPSWF32.dll + 0x232650
    eip = 0x05462651   esp = 0x0012f354   ebp = 0x0018a11c
    Found by: stack scanning
 5  nspr4.dll!PR_GetCurrentThread [prcthr.c : 174 + 0x4]
    eip = 0x008e95d6   esp = 0x0012f384   ebp = 0x0018a11c
    Found by: stack scanning
 6  NPSWF32.dll + 0x232650
    eip = 0x05462651   esp = 0x0012f390   ebp = 0x0012f398
    Found by: stack scanning
 7  0x12f423
    eip = 0x0012f424   esp = 0x0012f3a0   ebp = 0x00000000
    Found by: previous frame's frame pointer
 8  NPSWF32.dll + 0xd4e45
    eip = 0x05304e46   esp = 0x0012f3a4   ebp = 0x00000000
    Found by: stack scanning
 9  nspr4.dll!dtoa [prdtoa.c : 2823 + 0x1]
    eip = 0x008d597a   esp = 0x0012f3c4   ebp = 0x00000000
    Found by: stack scanning

Comment 8

[Paul Betlem]

This bug can be closed as fixed. It was fixed in Beta 1 of Flash Player 10.1. Installing the shipping candidate from here will demonstrate the fix:
http://labs.adobe.com/downloads/flashplayer10.html