All users were logged out of Bugzilla on October 13th, 2018

Reproducible WMV crash [@ npdsplay.dll@0x1e9a3]

RESOLVED INCOMPLETE

Status

--
critical
RESOLVED INCOMPLETE
9 years ago
3 years ago

People

(Reporter: jbecerra, Unassigned)

Tracking

({crash, sec-vector})

11.x
x86
Windows XP
crash, sec-vector

Details

(Whiteboard: [sg:vector-dos wmp][crashkill outreach], crash signature, URL)

Attachments

(1 attachment)

34.84 KB, application/java-archive
Details
(Reporter)

Description

9 years ago
Created attachment 396366 [details]
wget'd page zipped

Load the url provided and crash. 1.9.0, 1.9.1, and 1.9.2 also crash.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20090819 Minefield/3.7a1pre (.NET CLR 3.5.30729)
Flash Version: 10.0.32.18.

(f90.78): Access violation - code c0000005 (!!! second chance !!!)
eax=5f380753 ebx=06acc758 ecx=06acc6f8 edx=00000000 esi=5f37a7f1 edi=00000000
eip=5f34e9a3 esp=0012eba8 ebp=0012ebb4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Fil
es\Windows Media Player\npdsplay.dll -
npdsplay!unuse_netscape_plugin_Plugin+0x88c3:
5f34e9a3 8a27            mov     ah,byte ptr [edi]          ds:0023:00000000=??
0:000> cdb: Reading initial command '!load winext\msec.dll;.logappend;!exploitable;k;q'
Opened log file 'dbgeng.log'
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\sys
tem32\ntdll.dll -
*** WARNING: Unable to verify checksum for c:\projects\mozcentral\ffx-dbg\dist\bin\xpcom_c
ore.dll
*** WARNING: Unable to verify checksum for c:\projects\mozcentral\ffx-dbg\dist\bin\compone
nts\gklayout.dll
*** WARNING: Unable to verify checksum for c:\projects\mozcentral\ffx-dbg\dist\bin\compone
nts\gkplugin.dll
*** WARNING: Unable to verify checksum for c:\projects\mozcentral\ffx-dbg\dist\bin\compone
nts\necko.dll
*** WARNING: Unable to verify checksum for c:\projects\mozcentral\ffx-dbg\dist\bin\compone
nts\gkwidget.dll
*** WARNING: Unable to verify checksum for c:\projects\mozcentral\ffx-dbg\dist\bin\compone
nts\tkitcmps.dll
*** WARNING: Unable to verify checksum for c:\projects\mozcentral\ffx-dbg\dist\bin\xul.dll

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\sys
tem32\kernel32.dll -
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at np
dsplay!unuse_netscape_plugin_Plugin+0x00000000000088c3 (Hash=0x7f271a42.0x5b12103c)

The data from the faulting address is later used to determine whether or not a branch is t
aken.
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ebb4 5f33d2e8 npdsplay!unuse_netscape_plugin_Plugin+0x88c3
0012ebd8 00449616 npdsplay!native_NPDS_npDSJavaPeer_StreamSelect+0x29f8
0012ebe0 0042fdfb nspr4!PR_GetCurrentThread+0x16
0012ebf4 0031514b nspr4!PR_GetThreadPrivate+0xb
0012ec1c 01ccb133 xpcom_core!NS_LogRelease_P+0x1b
0012ec34 0196acdc gklayout!nsHTMLDocument::Release+0x23
0012ec44 01a6a115 gklayout!nsCOMPtr<nsIDocument>::~nsCOMPtr<nsIDocument>+0x3c
0012ec64 06aa7548 gklayout!nsPluginInstanceOwner::GetMode+0x95
0012ec94 0042fdfb 0x6aa7548
0012eca8 0012eccc nspr4!PR_GetThreadPrivate+0xb
0012ed24 02865820 0x12eccc
0012ed2c 0287be1a gkplugin!nsNPAPIPluginInstance::Initialize+0x80
0012f050 0287b680 gkplugin!nsPluginHost::TrySetUpPluginInstance+0x5aa
0012f0a4 02879937 gkplugin!nsPluginHost::SetUpPluginInstance+0x40
0012f36c 02873a06 gkplugin!nsPluginHost::InstantiateEmbeddedPlugin+0x947
0012f510 021a10fa gkplugin!nsPluginStreamListenerPeer::OnStartRequest+0x916
0012f6ac 02c69d3c gklayout!nsObjectLoadingContent::OnStartRequest+0xeca
0012f6f8 02c6a9f9 necko!nsHttpChannel::CallOnStartRequest+0x2ec
0012f76c 02c6a4d2 necko!nsHttpChannel::ProcessNormal+0x239
0012f78c 02c77138 necko!nsHttpChannel::ProcessResponse+0x202
quit:

Comment 1

9 years ago
reproducible on Mac
Product	Firefox Version	3.5.3pre
Build ID	20090821030839

http://crash-stats.mozilla.com/report/index/7094ff7d-876a-4fc7-9dc7-4b7ea2090824

0  	libSystem.B.dylib  	strcasecmp_l  	
1 	libSystem.B.dylib 	strcasecmp 	
2 	Flip4Mac WMV Plugin 	Flip4Mac WMV Plugin@0x5556 	
3 	Flip4Mac WMV Plugin 	Flip4Mac WMV Plugin@0x56f1 	
4 	Flip4Mac WMV Plugin 	Flip4Mac WMV Plugin@0x5d91 	
5 	XUL 	nsNPAPIPluginInstance::InitializePlugin 	modules/plugin/base/src/nsNPAPIPluginInstance.cpp:1030
6 	XUL 	nsPluginHostImpl::TrySetUpPluginInstance 	modules/plugin/base/src/nsPluginHostImpl.cpp:3872
7 	XUL 	nsPluginHostImpl::SetUpPluginInstance 	modules/plugin/base/src/nsPluginHostImpl.cpp:3670
8 	XUL 	nsPluginHostImpl::InstantiateEmbeddedPlugin 	modules/plugin/base/src/nsPluginHostImpl.cpp:3361
9 	XUL 	nsPluginStreamListenerPeer::OnStartRequest 	modules/plugin/base/src/nsPluginHostImpl.cpp:2025
10 	XUL 	nsObjectLoadingContent::OnStartRequest 	content/base/src/nsObjectLoadingContent.cpp:608
11 	XUL 	NS_InvokeByIndex_P 	xpcom/reflect/xptcall/src/md/unix/xptcinvoke_unixish_x86.cpp:179
12 	XUL 	XPCWrappedNative::CallMethod 	js/src/xpconnect/src/xpcwrappednative.cpp:2454
13 	XUL 	XPC_WN_CallMethod 	js/src/xpconnect/src/xpcwrappednativejsops.cpp:1590
14 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1386
15 	libmozjs.dylib 	js_Interpret 	js/src/jsinterp.cpp:5179
16 	libmozjs.dylib 	js_Invoke 	js/src/jsinterp.cpp:1394
17 	XUL 	nsXPCWrappedJSClass::CallMethod 	js/src/xpconnect/src/xpcwrappedjsclass.cpp:1697
18 	XUL 	nsXPCWrappedJS::CallMethod 	js/src/xpconnect/src/xpcwrappedjs.cpp:569
19 	XUL 	PrepareAndDispatch 	xpcom/reflect/xptcall/src/md/unix/xptcstubs_unixish_x86.cpp:93
20 	XUL 	PrepareAndDispatch 	
21 	XUL 	nsHttpChannel::CallOnStartRequest 	netwerk/protocol/http/src/nsHttpChannel.cpp:846
22 	XUL 	nsHttpChannel::ProcessNormal 	netwerk/protocol/http/src/nsHttpChannel.cpp:1128
23 	XUL 	nsHttpChannel::ProcessResponse 	netwerk/protocol/http/src/nsHttpChannel.cpp:997
24 	XUL 	nsHttpChannel::OnStartRequest 	netwerk/protocol/http/src/nsHttpChannel.cpp:4868
25 	XUL 	nsInputStreamPump::OnStateStart 	netwerk/base/src/nsInputStreamPump.cpp:439
26 	XUL 	nsInputStreamPump::OnInputStreamReady 	netwerk/base/src/nsInputStreamPump.cpp:395
27 	XUL 	nsInputStreamReadyEvent::Run 	xpcom/io/nsStreamUtils.cpp:111
28 	XUL 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:510
29 	XUL 	NS_ProcessPendingEvents_P 	nsThreadUtils.cpp:180
30 	XUL 	nsBaseAppShell::NativeEventCallback 	widget/src/xpwidgets/nsBaseAppShell.cpp:121
31 	XUL 	nsAppShell::ProcessGeckoEvents 	widget/src/cocoa/nsAppShell.mm:405
32 	CoreFoundation 	CFRunLoopRunSpecific 	
33 	CoreFoundation 	CFRunLoopRunInMode 	
34 	HIToolbox 	RunCurrentEventLoopInMode 	
35 	HIToolbox 	ReceiveNextEventCommon 	
36 	HIToolbox 	BlockUntilNextEventMatchingListInMode 	
37 	AppKit 	_DPSNextEvent 	
38 	AppKit 	-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] 	
39 	AppKit 	-[NSApplication run] 	
40 	XUL 	nsAppShell::Run 	widget/src/cocoa/nsAppShell.mm:720
41 	XUL 	nsAppStartup::Run 	toolkit/components/startup/src/nsAppStartup.cpp:193
42 	XUL 	XRE_main 	toolkit/xre/nsAppRunner.cpp:3321
43 	firefox-bin 	main 	browser/app/nsBrowserApp.cpp:156
44 	firefox-bin 	firefox-bin@0x1541 	
45 	firefox-bin 	firefox-bin@0x1468 	
46 		@0x2
Summary: Data from Faulting Address controls Branch Selection starting at np dsplay!unuse_netscape_plugin_Plugin+0x00000000000088c3 (Hash=0x7f271a42.0x5b12103c) → reproducible crash np dsplay!unuse_netscape_plugin_Plugin+0x00000000000088c3 and [@strcasecmp_l ]

Comment 2

9 years ago
Firefox 3.5.2 Crash Report [@npdsplay.dll@0x1e9a3 ]
Signature: npdsplay.dll@0x1e9a3
http://crash-stats.mozilla.com/report/index/10029468-b956-4c6e-8945-5fc362090824

I think these are dup signatures of stuff already on file
Summary: reproducible crash np dsplay!unuse_netscape_plugin_Plugin+0x00000000000088c3 and [@strcasecmp_l ] → reproducible crash [@npdsplay.dll@0x1e9a3 ] and [@strcasecmp_l ] np dsplay!unuse_netscape_plugin_Plugin+0x00000000000088c3

Comment 3

9 years ago
maybe bug 511767

Comment 4

9 years ago
Do we have contacts who work on Windows Media Player and Flip4Mac?  We can't fix this bug ourselves.
Summary: reproducible crash [@npdsplay.dll@0x1e9a3 ] and [@strcasecmp_l ] np dsplay!unuse_netscape_plugin_Plugin+0x00000000000088c3 → Reproducible WMV crash [@ npdsplay.dll@0x1e9a3] and [@ strcasecmp_l] [@ Flip4Mac WMV Plugin@0x5556]

Comment 5

9 years ago
yeah, if we think there is possible security implication in their code beyond a DoS we should send a report from security@mozilla.org to security@microsoft.com.  

We should also do this also if we don't want to take the time, or can't, figure out the possible security implications.  

we could just send mail to Microsoft, ask for a cc mail address and give that bugzilla account access to the bug.

it maybe harder to find something for flip. flip might license code from Microsoft so Microsoft might have contact.

we could just try mail to security@theflip.com  but I guess a smaller consumer product company like that my not have security@ set up.

on http://www.theflip.com/privacy.shtml I see another possible e-mail

13. QUESTIONS OR COMMENTS

If you have any questions, comments, or concerns relating to the Pure Digital Services or this privacy policy, please send an e-mail to privacy@puredigitalinc.com or write to us at:

Pure Digital Technologies, Inc.
Attn: Privacy Compliance Officer
30 Maiden Lane
6th Floor
San Francisco, CA 94108


Sound like a plan?  If this makes sense can dveditz, bsterne, reed, or other that has the mail cert send this mail?

Comment 6

9 years ago
the mail should also reference and grant access to bug 511767

Updated

9 years ago
Whiteboard: [sg:vector wmp]
The WMP crash in comment 0 is a null deref

A crash in Flip4Mac should get its own bug, there's no relation between these two as far as I know. There's not enough information in comment 1 to say whether the Flip4Mac crash is a problem or not.
Whiteboard: [sg:vector wmp] → [sg:vector-dos wmp]

Updated

9 years ago
Whiteboard: [sg:vector-dos wmp] → [sg:vector-dos wmp][crashkill outreach]

Updated

9 years ago
Component: Plug-ins → Windows Media Player (Microsoft)
Product: Core → Plugins
QA Contact: plugins → microsoft-wmp
Version: Trunk → 3.x

Updated

9 years ago
Blocks: 558772

Comment 8

9 years ago
I've filed bug 558772 for Flip4Mac
Summary: Reproducible WMV crash [@ npdsplay.dll@0x1e9a3] and [@ strcasecmp_l] [@ Flip4Mac WMV Plugin@0x5556] → Reproducible WMV crash [@ npdsplay.dll@0x1e9a3]

Updated

9 years ago
Version: 3.x → 11.x
(Assignee)

Updated

7 years ago
Crash Signature: [@ npdsplay.dll@0x1e9a3]
Keywords: sec-vector
Keywords: sec-other

Comment 9

6 years ago
Not going to track this further.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INCOMPLETE
Group: core-security
(Assignee)

Updated

3 years ago
Product: Plugins → Plugins Graveyard
You need to log in before you can comment on or make changes to this bug.