Bugzilla

Comment 1

•

15 years ago

Version is set to "1.9.1 branch" -- does that mean it's WFM in 1.9.2? If so it's probably a dupe of some bug and it'll be easier to identify that than work up a new patch.

status1.9.1: --- → wanted

Flags: wanted1.9.0.x+

Keywords: testcase-wanted

Whiteboard: [crashkill][crash-automation] → [sg:critical?][crashkill][crash-automation] fix-range-wanted

Comment 2

•

15 years ago

Jeff/Joe: can you take a look and get an answer for comment 1?

Component: General → Graphics

QA Contact: general → thebes

Assignee

Updated

•

15 years ago

Component: Graphics → ImageLib

QA Contact: thebes → imagelib

Assignee

Comment 3

•

15 years ago

I can't reproduce this bug even in 1.9.1, even on Windows.

Comment 4

•

15 years ago

Carsten: chance this was a fluke? Renominate if you can reproduce.

Joe: did you try on a debug build?

Flags: blocking1.9.0.18? → blocking1.9.0.18-

Updated

•

15 years ago

blocking1.9.1: ? → -

Reporter

Comment 5

•

15 years ago

(In reply to comment #4)
> Carsten: chance this was a fluke? Renominate if you can reproduce.
> 
yeah unfortuanly able to reproduce using  Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100112 Shiretoko/3.5.8pre 

and same !exploitable output :(

(df4.b0c): Access violation - code c0000005 (!!! second chance !!!)
eax=0642e67c ebx=7ffdf000 ecx=04e91670 edx=dddddddd esi=00d1ab00 edi=00240000
eip=033a2ab0 esp=0012efd4 ebp=0012efe4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
*** WARNING: Unable to verify checksum for c:\work\mozilla\builds\1.9.1\mozilla\
firefox-debug\dist\bin\components\imglib2.dll
imglib2!imgContainer::GetFrameAt+0x140:
033a2ab0 8b4204          mov     eax,dword ptr [edx+4] ds:0023:dddddde1=????????


Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address control
s Code Flow starting at imglib2!imgContainer::GetFrameAt+0x0000000000000140 (Has
h=0x19294b71.0x5538053c)

The data from the faulting address is later used as the target for a branch.
ChildEBP RetAddr
0012efe4 033c4deb imglib2!imgContainer::GetFrameAt+0x140
0012f3a4 033c4510 imglib2!nsJPEGDecoder::ProcessData+0x8ab
0012f3c0 002cb21a imglib2!ReadDataOut+0x20
0012f3e8 033c44bd xpcom_core!nsStringInputStream::ReadSegments+0xda
0012f408 033bc7c2 imglib2!nsJPEGDecoder::WriteFrom+0x7d
0012f724 0133c174 imglib2!imgRequest::OnDataAvailable+0x802
0012f7a8 0133b2ea necko!nsMultiMixedConv::SendData+0x1d4
0012f84c 033adc7a necko!nsMultiMixedConv::OnDataAvailable+0x78a
0012f870 01301410 imglib2!ProxyListener::OnDataAvailable+0x4a
0012f8c8 013a41ce necko!nsStreamListenerTee::OnDataAvailable+0x1f0
0012f918 012f772d necko!nsHttpChannel::OnDataAvailable+0x25e
0012f988 012f7330 necko!nsInputStreamPump::OnStateTransfer+0x23d
0012f998 002e3ffa necko!nsInputStreamPump::OnInputStreamReady+0x80
0012f9ac 0030601a xpcom_core!nsInputStreamReadyEvent::Run+0x4a
0012f9e8 00296b63 xpcom_core!nsThread::ProcessNextEvent+0x1fa
0012fa04 01e1f85d xpcom_core!NS_ProcessNextEvent_P+0x53
0012fa18 020342db gkwidget!nsBaseAppShell::Run+0x5d
0012fa2c 1000d020 tkitcmps!nsAppStartup::Run+0x6b
0012fed0 00401ac2 xul!XRE_main+0x3000
0012ff34 00401289 firefox!NS_internal_main+0x2b2
quit:

blocking1.9.1: - → ?

Reporter

Comment 6

•

15 years ago

joe: if it helps, the steps to reproduce for comment #5 were - loading  http://217.24.53.18/ - if it does not crash after a few seconds - reload the page and it crashes here within seconds

chris hofmann

Comment 7

•

15 years ago

no crash for me on 3.6 rc1 bits.

 Mozilla/5.0 (Windows; U; Windows NT 5.1; es-CL; rv:1.9.2) Gecko/20100105 Firefox/3.6

tomcat, can you post a breakpad crash report so we can look for related signatures?

Reporter

Comment 8

•

15 years ago

(In reply to comment #7)
> no crash for me on 3.6 rc1 bits.
> 
>  Mozilla/5.0 (Windows; U; Windows NT 5.1; es-CL; rv:1.9.2) Gecko/20100105
> Firefox/3.6
> 
> tomcat, can you post a breakpad crash report so we can look for related
> signatures?

Hi Chris this crash seem to be 1.9.1/1.9.0 specific and also only on debug - was not able to reproduce this on a 1.9.1 opt build - but on debug build

Reporter

Comment 9

•

15 years ago

note also on 1.9.2 debug builds this site triggers:

WARNING: imgContainer::Notify()  Frame is passed decoded frame: file c:/work/moz
illa/builds/1.9.2/mozilla/modules/libpr0n/src/imgContainer.cpp, line 1005

chris hofmann

Comment 10

•

15 years ago

ok, these two signatures look like what we are after.

 [@ imgContainer::GetFrameAt(unsigned int, gfxIImageFrame**) ] 

 [@ _purecall | imgContainer::GetFrameAt(unsigned int, gfxIImageFrame**) ] 

http://crash-stats.mozilla.com/query/query?version=ALL%3AALL&date=&range_value=1&range_unit=weeks&query_search=signature&query_type=contains&query=imgContainer%3A%3AGetFrameAt&build_id=&do_query=1


Correlation to releases

checking --- 20100111-crashdata.csv imgContainer::GetFrameAt
release total-crashes
              imgContainer::GetFrameAt crashes
                         pct.
all     223372  27      0.000120875
3.0.15  2063    1       0.000484731
3.0.16  3888            0
3.5.5   5741            0
3.5.6   13189           0
3.5.7   107869  11      0.000101976
3.6     15796           0
3.6b5   11261           0
3.6b4   1454            0
3.6b3   572             0
3.6b2   700             0
3.6b1   1917            0

all releases
   2 3.0
   2 3.0.1
   1 3.0.10
   1 3.0.14
   1 3.0.15
   8 3.0.17
   1 3.0.4
  11 3.5.7

os breakdown
9       0.333333        Windows NT5.1.2600 Service Pack 3
5       0.185185        Windows NT5.1.2600 Service Pack 2
3       0.111111        Windows NT6.0.6002 Service Pack 2
3       0.111111        Mac OS X10.5.8 9L31a
2       0.0740741       Windows NT5.2.3790 Service Pack 2
2       0.0740741       Mac OS X10.6.2 10C540
1       0.037037        Windows NT6.1.7600
1       0.037037        Windows NT5.1.2600 Dodatek Service Pack 3
1       0.037037        Mac OS X10.5.2 9C2028

Summary: Crash @ imglib2!imgContainer::GetFrameAt+0x0000000000000140 → Crash [@ imgContainer::GetFrameAt(unsigned int, gfxIImageFrame**) ] @ imglib2!imgContainer::GetFrameAt+0x0000000000000140

chris hofmann

Comment 11

•

15 years ago

running at 13-50 crashes per day, with the mean at about 25 per day for 12/1-1/11.

we should keep an eye out.  if numbers increase that might mean someone has found a reproducible way to tickle/exploit this.

here are the places that people have hit the crash with an optimized build more than twice over the last 8 weeks.  some of these seem to be behind auth/popup blocking.  maybe that's involved???

  46 http://flsmithdepot.dyndns.org/zm/index.php?view=montage&group=0
   9 http://217.24.53.18/
   7 http://192.168.2.101/zm/index.php
   6 https://www.parentwatch.com/centers/video/default_NS.asp?ncar=5969&resolution=1
   6 http://www.wilmotmountain.com/subpage.asp?page=experience&type=webcams
   6 http://win-securityspy.beminc.com:8000/++viewlive?cameraNum=0&cameraNum=22&viewMethod=0&imageSize=0&submit=Go&javaOK=&65773
   6 http://192.168.13.35:5350/
   5 http://www.pcove.com/webcam.htm
   5 http://192.168.1.200:8765/++viewlive?cameraNum=1&cameraNum=2&cameraNum=3&cameraNum=4&viewMethod=4&imageSize=640x480&submit=Go&javaOK=&18175
   4 http://www.crtvg.es/
   4 http://playita.servebeer.com/index.php?view=montage&group=0
   4 http://192.168.2.101/zm/index.php?view=montage&group=0
   4 http://192.168.0.108/
   3 http://www.spiegel.de/
   3 http://www.manzaneda.com/index.php?sec=estacion&ap=parte_nieve
   3 http://www.facebook.com/home.php?filter=lf
   3 http://oglobo.globo.com/
   3 http://lechamp1.darktech.org:8150/en/mjpgmain.asp
   3 http://ebizpowerhouse.dynalias.com/CgiStart?page=Single&Language=0
   3 http://149.119.81.124/view/view.shtml

Comment 12

•

15 years ago

Debug only, not blocking but we'd take a patch and should keep our eyes out for it.

blocking1.9.1: ? → -

Boris Zbarsky [:bzbarsky]

Assignee

Updated

•

14 years ago

Assignee: nobody → joe

Comment 14

•

14 years ago

I'll bet money this is the same as bug 524921.

Depends on: CVE-2010-1201

Assignee

Updated

•

14 years ago

Whiteboard: [sg:critical?][crashkill][crash-automation] fix-range-wanted → [sg:critical?][crashkill][crash-automation] fix-range-wanted [eta 2010-05-14]

Damon Sicore (:damons)

Updated

•

14 years ago

Whiteboard: [sg:critical?][crashkill][crash-automation] fix-range-wanted [eta 2010-05-14] → [sg:critical?][crashkill][crash-automation] fix-range-wanted [eta 2010-05-14][critsmash:patch]

Assignee

Comment 15

•

14 years ago

Boris is right!

Status: NEW → RESOLVED

Closed: 14 years ago

Resolution: --- → DUPLICATE

Updated

•

14 years ago

status1.9.2: --- → unaffected

Whiteboard: [sg:critical?][crashkill][crash-automation] fix-range-wanted [eta 2010-05-14][critsmash:patch] → [sg:dupe 524921][crashkill][crash-automation] fix-range-wanted [eta 2010-05-14][critsmash:patch]

Assignee

Updated

•

14 years ago

status2.0: --- → unaffected

Damon Sicore (:damons)

Updated

•

14 years ago

Whiteboard: [sg:dupe 524921][crashkill][crash-automation] fix-range-wanted [eta 2010-05-14][critsmash:patch] → [sg:dupe 524921][crashkill][crash-automation] fix-range-wanted [eta 2010-05-14][critsmash:resolved]

Updated

•

14 years ago

Group: core-security