Closed Bug 515781 Opened 16 years ago Closed 16 years ago

Probably Exploitable - Data from Faulting Address control s Code Flow starting at gklayout!nsHTMLSourceElement::BindToTree+0x000000000000008d

Categories

(Core :: Audio/Video, defect)

Product:
Core
Component:
Audio/Video
Version:
1.9.1 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 492286

People

(Reporter: cbook, Unassigned)

References

(
URL
)

Details

(Keywords: crash, testcase, Whiteboard: [sg:dupe 492286])

note: filing as sg bug because of exploitable output: STR: Load: https://bugzilla.mozilla.org/attachment.cgi?id=376645 Testcase of Bug 492286 -> Crashes Windows/Linux Builds Opt Crashreport ID: http://crash-stats.mozilla.com/report/index/6eafb9aa-d49b-487b-a0a6-862c52090910?p=1 (b78.400): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=7ffd6000 ecx=00000000 edx=00000000 esi=0012f260 edi=0012f380 eip=02d52f3d esp=0012f018 ebp=0012f030 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 gklayout!nsHTMLSourceElement::BindToTree+0x8d: 02d52f3d 8b11 mov edx,dword ptr [ecx] ds:0023:00000000=???????? 0:000> cdb: Reading initial command '!load winext\msec.dll;.logappend;!exploitab le;k;q' Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address control s Code Flow starting at gklayout!nsHTMLSourceElement::BindToTree+0x0000000000000 08d (Hash=0x452d2563.0x2f18066e) The data from the faulting address is later used as the target for a branch. ChildEBP RetAddr 0012f030 028bd1be gklayout!nsHTMLSourceElement::BindToTree+0x8d 0012f10c 0285230d gklayout!nsGenericElement::doInsertChildAt+0x45e 0012f130 025fa1ea gklayout!nsDocument::InsertChildAt+0x6d 0012f148 02980248 gklayout!nsINode::AppendChildTo+0x2a 0012f168 0298072f gklayout!nsXMLContentSink::SetDocElement+0x128 0012f1ec 029802b7 gklayout!nsXMLContentSink::HandleStartElement+0x46f 0012f20c 044a030d gklayout!nsXMLContentSink::HandleStartElement+0x27 0012f23c 044a451f gkparser!nsExpatDriver::HandleStartElement+0xbd 0012f24c 044d623e gkparser!Driver_HandleStartElement+0x3f 0012f380 044d85bc gkparser!doContent+0x8ae 0012f3a8 044da029 gkparser!contentProcessor+0x3c 0012f494 044d9787 gkparser!doProlog+0x859 0012f4d0 044d9187 gkparser!prologProcessor+0x87 0012f4ec 044d49b3 gkparser!prologInitProcessor+0x47 0012f53c 044a35c5 gkparser!MOZ_XML_Parse+0x213 0012f564 044a3ad0 gkparser!nsExpatDriver::ParseBuffer+0x195 0012f774 044c195b gkparser!nsExpatDriver::ConsumeToken+0x2d0 0012f7ac 044bf53c gkparser!nsParser::Tokenize+0x14b 0012f7f8 044c077b gkparser!nsParser::ResumeParse+0x19c 0012f848 0348adfc gkparser!nsParser::OnDataAvailable+0x22b quit:
blocking1.9.1: --- → ?
In nsHTMLSourceElement::BindToTree() we're doing: if (!aParent->IsNodeOfType(nsINode::eMEDIA)) return NS_OK; but aParent is null. We could change that to: if (!aParent || !aParent->IsNodeOfType(nsINode::eMEDIA)) return NS_OK; Would that be sufficent?
I don't understand why a new bug is filed for the same issue as bug 492286 is.
Because that one was public, I think, and Tomcat was worried it was a security issue. In general I'd recommend hiding the existing open bug in this kind of case rather than a new duplicate bug unless the crash is incidental to the existing bug. (and in this particular case we don't need to hide the bug because !exploitable is wrong)
Status: NEW → RESOLVED
blocking1.9.1: ? → ---
Closed: 16 years ago
Resolution: --- → DUPLICATE
Well, I filed bug 492286 before there were official builds with video support.
If you suspect something might be a security problem please check the security-sensitive box whether or not builds are released yet. Eventually those branches will get released.
Group: core-security
Whiteboard: [sg:dupe 492286]
Well, in that case, I might as well file every crash bug as security sensitive, I guess. I'd rather see those crashes fixed before release, fwiw.
You need to log in before you can comment on or make changes to this bug.