Crash [ @ NPSWF32+0x9120b ] | Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at NPSWF32+0x000000000009120b

RESOLVED WORKSFORME

Status

External Software Affecting Firefox
Flash (Adobe)
--
critical
RESOLVED WORKSFORME
8 years ago
2 years ago

People

(Reporter: bc, Unassigned)

Tracking

({crash})

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

8 years ago
Flash 10.0.42.34

http://www.elinformador.com.ve/diario/2009.11.01

(d98.1f4): Access violation - code c0000005 (!!! second chance !!!)
eax=00000260 ebx=0000008a ecx=00000000 edx=00000000 esi=000000ba edi=0727dad0
eip=06c5120b esp=0012dd34 ebp=0012dd84 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00240246

Exploitability Classification: UNKNOWN

Recommended Bug Title: Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at NPSWF32+0x000000000009120b (Hash=0x0a3c3e75.0x73726a4a)

The data from the faulting address is later used as one or more of the arguments to a function call.
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0012dd84 06c3ec1c NPSWF32+0x9120b
0012ddb0 06c43d04 NPSWF32+0x7ec1c
0012dde8 06c1bdbd NPSWF32+0x83d04
0012ddf8 06c1be70 NPSWF32+0x5bdbd
0012de04 06c37189 NPSWF32+0x5be70
0012de14 06c35a7d NPSWF32+0x77189
0012de28 06c45a18 NPSWF32+0x75a7d
0012e6e4 06c46351 NPSWF32+0x85a18
0012e6f8 06c49aed NPSWF32+0x86351
0012e740 77f16f0a NPSWF32+0x89aed
00000000 00000000 GDI32!DeleteDC+0xab
(Reporter)

Comment 1

8 years ago
Actually, this one didn't crash. Are these non-crashing !exploitable reports useful at all?
Keywords: crash
Summary: Crash [ @ NPSWF32+0x9120b ] → Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at NPSWF32+0x000000000009120b
(Reporter)

Comment 2

8 years ago
Damn, the first run was with 1.9.2. The second run was with 1.9.3 and it did crash.
Keywords: crash
Summary: Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at NPSWF32+0x000000000009120b → Crash [ @ NPSWF32+0x9120b ] | Data from Faulting Address is used as one or more arguments in a subsequent Function Call starting at NPSWF32+0x000000000009120b
(Reporter)

Comment 3

8 years ago
possibly related

eax=00000034 ebx=6d422608 ecx=0000004c edx=0000000f esi=00000037 edi=00000082
eip=06c3c942 esp=0012d538 ebp=0012d5b8 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00240212

06c3c942 8b0c93          mov     ecx,dword ptr [ebx+edx*4] ds:0023:6d422644=????????

Exploitability Classification: UNKNOWN
Recommended Bug Title: Read Access Violation starting at NPSWF32+0x000000000007c942 (Hash=0x0a3c3e75.0x5d402c24)
ChildEBP RetAddr  
WARNING: Stack unwind information not available. Following frames may be wrong.
0012d5b8 06c3e644 NPSWF32+0x7c942
0012de28 06c45b16 NPSWF32+0x7e644
0012e6e4 06c46351 NPSWF32+0x85b16
0012e6f8 06c49aed NPSWF32+0x86351
0012e740 77f16f0a NPSWF32+0x89aed
00000000 00000000 GDI32!DeleteDC+0xab
quit:

http://issuu.com/mnovine/docs/mnovine739i?mode=embed&documentId=080529141635-9953d9ac231e42788d00d2305b793e02&layout=grey: EXIT STATUS: ABNORMAL 84 (33.400000 seconds)
(Reporter)

Comment 4

8 years ago
another crash with this stack http://www.ucsdguardian.org/todays-issue/page/4/

Updated

8 years ago
Duplicate of this bug: 527734
also noticed this crash on mac - changing os to all
OS: Windows XP → All
Hardware: x86 → All
(Reporter)

Comment 7

7 years ago
update crash bugs to critical per guidelines.
Severity: normal → critical
(Reporter)

Comment 8

6 years ago
domain is gone.
Group: mozilla-corporation-confidential
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Component: Plug-ins → Flash (Adobe)
Product: Core → Plugins
QA Contact: plugins → adobe-flash
Resolution: --- → WORKSFORME
Version: Trunk → 10.3

Comment 9

2 years ago
Version and milestone values are being reset to defaults as part of product refactoring.
Version: 10.3 → unspecified
You need to log in before you can comment on or make changes to this bug.