Closed
Bug 494714
Opened 16 years ago
Closed 15 years ago
Read Access Violation near NULL starting at NPSWF32+0xa0977 | Crash [@ NPSWF32.dll@0xa17be] | Crash [@ Flash Player@0x1202f1]
Categories
(External Software Affecting Firefox Graveyard :: Flash (Adobe), defect)
External Software Affecting Firefox Graveyard
Flash (Adobe)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: cbook, Assigned: pbetlem)
References
()
Details
(Keywords: crash, Whiteboard: [sg:vector dos (Flash)] Fixed: Flash: WIN 10,1,53,7)
Crash Data
Steps to reproduce:
-> Load http://flashcrash.dempsky.org/
--> Crashes Firefox 1.9.0/1.9.1 and trunk with the latest flash plugin
(940.914): Access violation - code c0000005 (!!! second chance !!!)
eax=0a8bd190 ebx=00000000 ecx=00000000 edx=0a500200 esi=00000000 edi=0a99a100
eip=0a110977 esp=0012f4c4 ebp=0012f52c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00240246
NPSWF32+0xa0977:
0a110977 8b869c000000 mov eax,dword ptr [esi+9Ch] ds:0023:0000009c=????????
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at NPSWF32+0xa0977 (Hash=0x77414308.0x34414308)
This is a user mode read access violation near null, and is probably not exploitable.
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012f52c 00000000 NPSWF32+0xa0977
Comment 1•16 years ago
|
||
stack on OS X 10.5; en-US; rv:1.9.1b5pre) Gecko/20090520 Shiretoko/3.5b5pre
0 Flash Player Flash Player@0x11eca1
1 Flash Player Flash Player@0x186ce8
2 Flash Player Flash Player@0x185b22
3 Flash Player Flash Player@0x25c668
4 Flash Player Flash_EnforceLocalSecurity
5 XUL nsNPAPIPluginStreamListener::OnDataAvailable modules/plugin/base/src/nsNPAPIPluginInstance.cpp:532
6 XUL nsPluginStreamListenerPeer::OnDataAvailable modules/plugin/base/src/nsPluginHostImpl.cpp:2168
7 XUL nsStreamListenerTee::OnDataAvailable netwerk/base/src/nsStreamListenerTee.cpp:97
8 XUL nsHttpChannel::OnDataAvailable netwerk/protocol/http/src/nsHttpChannel.cpp:5063
9 XUL nsInputStreamPump::OnStateTransfer netwerk/base/src/nsInputStreamPump.cpp:508
10 XUL nsInputStreamPump::OnInputStreamReady netwerk/base/src/nsInputStreamPump.cpp:398
11 XUL nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:111
12 XUL nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:510
13 XUL NS_ProcessPendingEvents_P nsThreadUtils.cpp:180
14 XUL nsBaseAppShell::NativeEventCallback widget/src/xpwidgets/nsBaseAppShell.cpp:121
15 XUL nsAppShell::ProcessGeckoEvents widget/src/cocoa/nsAppShell.mm:405
16 CoreFoundation CFRunLoopRunSpecific
17 CoreFoundation CFRunLoopRunInMode
18 HIToolbox RunCurrentEventLoopInMode
19 HIToolbox ReceiveNextEventCommon
20 HIToolbox BlockUntilNextEventMatchingListInMode
21 AppKit _DPSNextEvent
22 AppKit -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:]
23 AppKit -[NSApplication run]
24 XUL nsAppShell::Run widget/src/cocoa/nsAppShell.mm:716
25 XUL nsAppStartup::Run toolkit/components/startup/src/nsAppStartup.cpp:193
26 XUL XRE_main toolkit/xre/nsAppRunner.cpp:3298
27 firefox-bin main browser/app/nsBrowserApp.cpp:156
28 firefox-bin firefox-bin@0x1541
29 firefox-bin firefox-bin@0x1468
30 @0x2
Comment 2•16 years ago
|
||
If this is a flash bug and doesn't look exploitable do we want to continue to track this or just close the bug?
Keywords: testcase-wanted
Whiteboard: [sg:vector dos (Flash)]
Comment 3•16 years ago
|
||
This is the same as bug 500574. Let's dupe there.
Comment 4•16 years ago
|
||
No fix with Flash Update to 10,0,32,18
Yielding a crash on comment #0's URL on load in 1.9.1.2 and trunk
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090804 Minefield/3.6a1pre
http://crash-stats.mozilla.com/report/index/ba06c263-c411-474f-9df9-cc3652090804?p=1 same stack
Comment 6•15 years ago
|
||
This is public, no purpose in hiding it. http://flashcrash.dempsky.org/ (will crash if you have flash enabled). Ditto http://www.securityfocus.com/archive/1/archive/1/496929/100/0/threaded
with 10.0.45.2
Mac bp-528dda94-ab7d-45e0-ade7-24c8a2100220
0 Flash Player Flash Player@0x1202f1
1 Flash Player Flash Player@0x18880a
2 Flash Player Flash Player@0x187692
3 Flash Player Flash Player@0x25f148
4 Flash Player Flash Player@0x2ef207
Win2K3
Thread 0 (crashed)
0 NPSWF32.dll + 0xa17be
eip = 0x052d17be esp = 0x0012f2c4 ebp = 0x0012f32c ebx = 0x00000000
esi = 0x00000000 edi = 0x057262b8 eax = 0x05911190 ecx = 0x00000000
edx = 0x05701400 efl = 0x00010246
Found by: given as instruction pointer in context
1 0x0
eip = 0x00000001 esp = 0x0012f334 ebp = 0x0018a11c
Found by: previous frame's frame pointer
2 NPSWF32.dll + 0xeaf5
eip = 0x0523eaf6 esp = 0x0012f33c ebp = 0x0018a11c
Found by: stack scanning
3 NPSWF32.dll + 0xeb1f
eip = 0x0523eb20 esp = 0x0012f34c ebp = 0x0018a11c
Found by: stack scanning
4 NPSWF32.dll + 0x232650
eip = 0x05462651 esp = 0x0012f354 ebp = 0x0018a11c
Found by: stack scanning
5 nspr4.dll!PR_GetCurrentThread [prcthr.c : 174 + 0x4]
eip = 0x008e95d6 esp = 0x0012f384 ebp = 0x0018a11c
Found by: stack scanning
6 NPSWF32.dll + 0x232650
eip = 0x05462651 esp = 0x0012f390 ebp = 0x0012f398
Found by: stack scanning
7 0x12f423
eip = 0x0012f424 esp = 0x0012f3a0 ebp = 0x00000000
Found by: previous frame's frame pointer
8 NPSWF32.dll + 0xd4e45
eip = 0x05304e46 esp = 0x0012f3a4 ebp = 0x00000000
Found by: stack scanning
9 nspr4.dll!dtoa [prdtoa.c : 2823 + 0x1]
eip = 0x008d597a esp = 0x0012f3c4 ebp = 0x00000000
Found by: stack scanning
Group: core-security
Summary: Read Access Violation near NULL starting at NPSWF32+0xa0977 → Read Access Violation near NULL starting at NPSWF32+0xa0977 | Crash [@ NPSWF32.dll@0xa17be] | Crash [@ Flash Player@0x1202f1]
Component: Plug-ins → Flash (Adobe)
Product: Core → Plugins
QA Contact: plugins → adobe-flash
Version: Trunk → unspecified
Assignee | ||
Comment 8•15 years ago
|
||
This bug can be closed as fixed. It was fixed in Beta 1 of Flash Player 10.1. Installing the shipping candidate from here will demonstrate the fix:
http://labs.adobe.com/downloads/flashplayer10.html
Assignee: nobody → pbetlem
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: [sg:vector dos (Flash)] → [sg:vector dos (Flash)] Fixed: Flash: WIN 10,1,53,7
Updated•14 years ago
|
Crash Signature: [@ NPSWF32.dll@0xa17be]
[@ Flash Player@0x1202f1]
Updated•10 years ago
|
Keywords: testcase-wanted
Updated•3 years ago
|
Product: External Software Affecting Firefox → External Software Affecting Firefox Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•