TM: Crash [@ __memcpy - jsstr::js_StringReplaceHelper()]

VERIFIED DUPLICATE of bug 505305

Status

()

Core
JavaScript Engine
--
critical
VERIFIED DUPLICATE of bug 505305
9 years ago
7 years ago

People

(Reporter: aaronmt, Unassigned)

Tracking

({crash, verified1.9.1})

Trunk
crash, verified1.9.1
Points:
---
Bug Flags:
wanted1.9.0.x -

Firefox Tracking Flags

(blocking1.9.1 .2+, status1.9.1 .2-fixed)

Details

(Whiteboard: [sg:dupe 505305], crash signature, URL)

(Reporter)

Description

9 years ago
Crash on load of URL in do_replace()

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090720 Minefield/3.6a1pre

http://crash-stats.mozilla.com/report/index/d71bd634-ce61-431f-9cac-c5c4c2090720

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x1efffff0
0xffff0af6 in ___memcpy ()

#0  0xffff0af6 in ___memcpy () at /System/Library/Frameworks/System.framework/PrivateHeaders/i386/cpu_capabilities.h:246
#1  0x00361e51 in do_replace (cx=0xac7600, rdata=0xbfffcb40, chars=0x16df82f0) at /Users/mozilla/mozilla-central/js/src/jsstr.cpp:1696
#2  0x003640b7 in js_StringReplaceHelper (cx=0xac7600, argc=4294903656, lambda=0x0, repstr=0x17203c80, vp=0xc2fcf4) at /Users/mozilla/mozilla-central/js/src/jsstr.cpp:1832
#3  0x0036413f in str_replace (cx=0xac7600, argc=2, vp=0xc2fcf4) at /Users/mozilla/mozilla-central/js/src/jsstr.cpp:1775
#4  0x002c72d7 in js_Interpret (cx=0xac7600) at /Users/mozilla/mozilla-central/js/src/jsinterp.cpp:5182
#5  0x002d9ceb in js_Invoke (cx=0xac7600, argc=1, vp=0xc2fc24, flags=32) at jsinterp.cpp:1370
#6  0x002da758 in js_InternalInvoke (cx=0xac7600, obj=<value temporarily unavailable, due to optimizations>, fval=342388848, flags=0, argc=1, argv=0xc2fc20, rval=0xbfffd3b8) at jsinterp.cpp:1442
#7  0x00247353 in JS_CallFunctionValue (cx=0xac7600, obj=0xffff0768, fval=-63640, argc=4294903656, argv=0xffff0768, rval=0xffff0768) at /Users/mozilla/mozilla-central/js/src/jsapi.cpp:5199
#8  0x18b3bae1 in nsJSContext::CallEventHandler (this=0x1b907bf0, aTarget=0x126d65e0, aScope=0x19e64c60, aHandler=<value temporarily unavailable, due to optimizations>, aargv=0x16dbd980, arv=0xbfffd5f4) at /Users/mozilla/mozilla-central/dom/base/nsJSEnvironment.cpp:2092
#9  0x18bd8b4b in nsCOMPtr<nsIVariant>::get () at nsCOMPtr.h:247
#10 0x18bd8b4b in ~nsGetterAddRefs [inlined] () at nsCOMPtr.h:1329

EXPLOITABLE: Exploitable - User Mode Write AV starting at MSVCR80D!strnicmp+0x00000000000003a3 (Hash=0x171a7743.0x3e542632): http://www.donorschoose.org/donors/
search.html?page=9&keywords=music&max=50: EXIT STATUS: ABNORMAL 84 (95.610000 seconds)

Updated

9 years ago
Group: core-security

Comment 1

9 years ago
argc=4294903656? Thats unlikely.

#2  0x003640b7 in js_StringReplaceHelper (cx=0xac7600, argc=4294903656,
lambda=0x0, repstr=0x17203c80, vp=0xc2fcf4) at
/Users/mozilla/mozilla-central/js/src/jsstr.cpp:1832
#3  0x0036413f in str_replace (cx=0xac7600, argc=2, vp=0xc2fcf4) at

Updated

9 years ago
blocking1.9.1: --- → ?

Comment 2

9 years ago
how about branch?
gal: this looks like the bug that I mentioned to you earlier today.

Comment 4

9 years ago
argc is just passed through here. Either the stack dump is lying, or the stack got blown away (partially). I have my money on the former, since otherwise the stack walk wouldn't work properly.

static JSBool
str_replace(JSContext *cx, uintN argc, jsval *vp)
{
    JSObject *lambda;
    JSString *repstr;

    if (argc >= 2 && JS_TypeOfValue(cx, vp[3]) == JSTYPE_FUNCTION) {
        lambda = JSVAL_TO_OBJECT(vp[3]);
        repstr = NULL;
    } else {
	lambda = NULL;
        repstr = ArgToRootedString(cx, argc, vp, 1);
        if (!repstr)
            return JS_FALSE;
    }

    return js_StringReplaceHelper(cx, argc, lambda, repstr, vp);
}
(Reporter)

Comment 5

9 years ago
Crash on debug build

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.2pre) Gecko/20090720 Shiretoko/3.5.2pre

and relbranch 3.5.1

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1

http://crash-stats.mozilla.com/report/index/c86e576f-0efc-43bd-a130-fd8c52090720?p=1
(Reporter)

Updated

9 years ago
Duplicate of this bug: 505364
(Reporter)

Updated

9 years ago
Duplicate of this bug: 505364
Duping to Tomcat's bug, which beat this one out by about a day.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 505305
v. dupe
Status: RESOLVED → VERIFIED
I'm going to mark this blocking because I marked bug 505305 blocking. We should ensure this case is completely fixed as well when verifying bug 505305.
blocking1.9.1: ? → .2+
Blake checked in his fix for 1.9.1.2
status1.9.1: --- → .2-fixed
Verified vicariously through 505305. Adding the keyword verified1.9.1 to dot the i.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)
Keywords: verified1.9.1
Whiteboard: [sg:dupe 505305]
Group: core-security
Flags: wanted1.9.0.x-
Crash Signature: [@ __memcpy - jsstr::js_StringReplaceHelper()]
You need to log in before you can comment on or make changes to this bug.