Closed Bug 502648 (CVE-2009-2478) Opened 12 years ago Closed 8 years ago

Crash when scrolling in Flash with wmode=transparent [NPSWF32.dll@0x50abd]

Categories

(External Software Affecting Firefox :: Flash (Adobe), defect)

x86
Windows XP
defect
Not set
critical

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: u348128, Assigned: cliss)

References

()

Details

(Keywords: crash, sec-vector, testcase, Whiteboard: [sg:vector-dos (flash)])

Attachments

(3 files, 1 obsolete file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.1) Gecko/20090624 Firefox/3.5 (.NET CLR 3.5.30729)

This was first reported in bug 501304, but it seems a different bug.

From top crash reports, the following page crashes:, with good reproducibility:

http://www.crazyprofile.com/water_effect/water_effect.asp

Wait before everything is loaded. Then scroll down. Bang! Consistent.

A minimized version can be found here:

http://web.inter.nl.net/users/L.B.Kruijswijk/FFflashcrash.html

Important is:
- The flash animation must be outside the visible screen when loading.
- Scroll down to get the crash.
- The wmode='transparent' parameter is important. When I remove it, it doesn't
crash anymore.





Reproducible: Always

Steps to Reproduce:
1. Go to site.
2. Wait until everything is loaded.
3. Scroll down.
Actual Results:  
Crash.

Expected Results:  
No crash.

Crash id's:
73296a73-ed85-435a-aba0-99d382090705	6-7-2009	0:28
74d13d11-f90d-4430-a987-a72482090705	5-7-2009	18:25
66c4defa-167a-4d23-8999-81cd92090705	5-7-2009	15:29
c14f7078-5b02-429e-a752-6b7f62090705	5-7-2009	13:41
f4fee6ae-f924-4605-a6c3-7a1652090705	5-7-2009	13:37
57ce6043-257c-46ce-a677-fde5b2090704	5-7-2009	0:52
91e82746-987a-4633-af1f-7c1432090704	5-7-2009	0:48
b7cc5f3e-6276-4831-94dd-71fef2090704	5-7-2009	0:47
538e3eef-fc7f-40a9-a113-fb9e72090704	5-7-2009	0:37
8c5686fc-f982-46d5-a430-46a4b2090704	5-7-2009	0:26
ffcc3cb3-f3b7-45f9-8b46-e89162090704	5-7-2009	0:26
Can someone confirm this bug?

Can someone check with 3.0.11? I don't have that version on my PC anymore.

I only volunteer to reproduce bugs, I won't analyze this further.
Lucas, can you please attach your reduced testcase to this bug? Then we can take care of it. Thanks for your work.
Status: UNCONFIRMED → NEW
Component: General → Plug-ins
Ever confirmed: true
OS: Windows XP → All
Product: Firefox → Core
QA Contact: general → plugins
Hardware: x86 → All
Version: unspecified → 1.9.1 Branch
Michelle, could the Adobe team please have a look at this bug? It's highly reproducible and happens with the latest Flash version installed.
OS: All → Windows XP
Hardware: All → x86
(In reply to comment #4)
> Regression range is:
> http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&date=explicit&mindate=2006-06-06+09%3A00&maxdate=2006-06-06+14%3A00
> Bug 325465 seems to have caused this.

Vlad, could this be a regression from your patch?
Problem occurs also on Windows Vista
See 4d8a944e-ab45-40d5-a547-1918d2090706
Could be, btu without knowing what flash is doing, I don't know how to say one way or the other.
Attached file Test with simplified HTML (obsolete) —
Henrik, the test case was on my site. See link of this bug.

I attached it also. But it does not contain the flash animation. I have no means to simplify that. It is important that is loaded outside the visible part and the wmode=transparant is also important.

By the way, I found this bug on the top crash sites. But those are from:
Firefox 3.1b2

There is no list for 3.5. Where should I report that?
Reproduced. Thanks for the sample URL.  Can you attach your SWF as well so I can have the whole package locally for testing?
Attached file testcase
This one uses the formerly uploaded swf file on Bugzilla.
Attachment #387059 - Attachment is obsolete: true
(In reply to comment #8)
> Henrik, the test case was on my site. See link of this bug.

I know but at this time it wasn't loading. So now we have both files online as a testcase.
Thank you.
Debuglog created by Windbg for this bug
Attachment #387735 - Attachment mime type: application/octet-stream → text/plain
Per bug 503947 can users with this crash also say if they have the McAfee Site Advisor extension enabled and if disabling it helps with the crash?

This will help us write support articles with potential workarounds.
This bug is not related to McAfee, it is hard crasher.
Info from Jesse Ruderman:

Bug 502648 looks like a null deref, which is not exploitable.  See
http://www.squarefree.com/2006/11/02/determining-whether-a-crash-looks-exploitable/
for how I evaluate crash stacks.
Group: core-security
Whiteboard: [sg:vector-dos (flash)]
The crashing hi5 site could be found from the top crash by URL:

http://hi5.com/friend/p113543309--%E2%98%82%20%E2%86%92%20%20%20p%20%E2%80%98%20a%20tt%20%E2%84%A2--html
Not sure who assigned the CVE, possibly based on the references in bug 503286.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2478
Alias: CVE-2009-2478
Internal bug #2371949
For the record, this is triggerable with Firefox builds as old as 2007-01-01.
This is fixed in the latest release of Flash Player 10.0.32.18
Charles, I've got flash version 10.0.32.18 and I still see this crash when scrolling the testcase attached to this bug :(
Sorry had my build information crossed.  It will be fixed in our public beta later this year.
Assignee: nobody → cliss
Status: NEW → ASSIGNED
Public beta released.  This is now fixed.


http://labs.adobe.com/downloads/flashplayer10.html
Using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 and Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2b4pre) Gecko/20091118 Namoroka/3.6b4pre I don't crash when scrolling the testcase. I am using Version: 10.1.51.45 Shockwave Flash 10.1 d51.
Marcia, can you test it on Windows too? No comment on that bug mentioned that it happens on OS X too? Were you able to see it on OS X?
I tested on Win 7 with the updated flash plugin using Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2b4pre) Gecko/20091118 Namoroka/3.6b4pre (.NET CLR 3.5.30729). Will test on XP the next time I trek down to the lab.

(In reply to comment #27)
> Marcia, can you test it on Windows too? No comment on that bug mentioned that
> it happens on OS X too? Were you able to see it on OS X?
Works fine on XP too with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2b4pre) Gecko/20091118 Namoroka/3.6b4pre (.NET CLR 3.5.30729)

When do we close such bugs? Once the final release of the external application happened?
Tested on XP on the lab. Confirmed the crash with the older version of flash, then installed the new version and no crash using latest 1.9.2 nightly. I think we should wait until the final release of that version before we close the bug.
Close fixed if you don't mind.  While its a beta player its still an official release.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Crashes still with the crazyprofile.com:

bp-889d4358-c533-4943-aa30-f8ad22100210

Flash: 10.0.42.34

Lucas
Reopening based on latest comment. Charles can't you see the crash with Lucas version?
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Group: core-security
Component: Plug-ins → Flash (Adobe)
Product: Core → Plugins
QA Contact: plugins → adobe-flash
Version: 1.9.1 Branch → unspecified
Group: core-security
Keywords: sec-vector
Keywords: sec-other
Group: core-security
Status: REOPENED → RESOLVED
Closed: 11 years ago8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.