Closed
Bug 536812
Opened 15 years ago
Closed 14 years ago
Crash [@ imgContainer::GetFrameAt(unsigned int, gfxIImageFrame**) ] @ imglib2!imgContainer::GetFrameAt+0x0000000000000140
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 524921
Tracking | Status | |
---|---|---|
status2.0 | --- | unaffected |
status1.9.2 | --- | unaffected |
blocking1.9.1 | --- | - |
status1.9.1 | --- | .10-fixed |
People
(Reporter: cbook, Assigned: joe)
References
()
Details
(Keywords: crash, Whiteboard: [sg:dupe 524921][crashkill][crash-automation] fix-range-wanted [eta 2010-05-14][critsmash:resolved])
Crash Data
(a5c.df4): Access violation - code c0000005 (!!! second chance !!!) eax=08b2a4fc ebx=7ffd8000 ecx=088fb5c0 edx=dddddddd esi=00d1b3c8 edi=00e8c610 eip=02a12ab0 esp=0012efd4 ebp=0012efe4 iopl=0 nv up ei pl zr na pe nc Steps to reproduce: -> Latest 1.9.1/1.9.0 debug build from today -> Load http://217.24.53.18/ -> Crashes within seconds --> cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 imglib2!imgContainer::GetFrameAt+0x140: 02a12ab0 8b4204 mov eax,dword ptr [edx+4] ds:0023:dddddde1=???????? Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address control s Code Flow starting at imglib2!imgContainer::GetFrameAt+0x0000000000000140 (Has h=0x19294b71.0x5538053c) The data from the faulting address is later used as the target for a branch. ChildEBP RetAddr 0012efe4 02a34deb imglib2!imgContainer::GetFrameAt+0x140 0012f3a4 02a34510 imglib2!nsJPEGDecoder::ProcessData+0x8ab 0012f3c0 002cb21a imglib2!ReadDataOut+0x20 0012f3e8 02a344bd xpcom_core!nsStringInputStream::ReadSegments+0xda 0012f408 02a2c7c2 imglib2!nsJPEGDecoder::WriteFrom+0x7d 0012f724 02bdc174 imglib2!imgRequest::OnDataAvailable+0x802 0012f7a8 02bdb2ea necko!nsMultiMixedConv::SendData+0x1d4 0012f84c 02a1dc7a necko!nsMultiMixedConv::OnDataAvailable+0x78a 0012f870 02ba1410 imglib2!ProxyListener::OnDataAvailable+0x4a 0012f8c8 02c441ce necko!nsStreamListenerTee::OnDataAvailable+0x1f0 0012f918 02b9772d necko!nsHttpChannel::OnDataAvailable+0x25e 0012f988 02b97330 necko!nsInputStreamPump::OnStateTransfer+0x23d 0012f998 002e3ffa necko!nsInputStreamPump::OnInputStreamReady+0x80 0012f9ac 0030601a xpcom_core!nsInputStreamReadyEvent::Run+0x4a 0012f9e8 00296b63 xpcom_core!nsThread::ProcessNextEvent+0x1fa 0012fa04 028ff85d xpcom_core!NS_ProcessNextEvent_P+0x53 0012fa18 034e42db gkwidget!nsBaseAppShell::Run+0x5d 0012fa2c 1000d020 tkitcmps!nsAppStartup::Run+0x6b 0012fed0 00401ac2 xul!XRE_main+0x3000 0012ff34 00401289 firefox!NS_internal_main+0x2b2 quit:
Flags: blocking1.9.0.18?
Comment 1•15 years ago
|
||
Version is set to "1.9.1 branch" -- does that mean it's WFM in 1.9.2? If so it's probably a dupe of some bug and it'll be easier to identify that than work up a new patch.
status1.9.1:
--- → wanted
Flags: wanted1.9.0.x+
Keywords: testcase-wanted
Whiteboard: [crashkill][crash-automation] → [sg:critical?][crashkill][crash-automation] fix-range-wanted
Comment 2•15 years ago
|
||
Jeff/Joe: can you take a look and get an answer for comment 1?
Component: General → Graphics
QA Contact: general → thebes
Assignee | ||
Updated•15 years ago
|
Component: Graphics → ImageLib
QA Contact: thebes → imagelib
Assignee | ||
Comment 3•15 years ago
|
||
I can't reproduce this bug even in 1.9.1, even on Windows.
Comment 4•15 years ago
|
||
Carsten: chance this was a fluke? Renominate if you can reproduce. Joe: did you try on a debug build?
Flags: blocking1.9.0.18? → blocking1.9.0.18-
Updated•15 years ago
|
blocking1.9.1: ? → -
Reporter | ||
Comment 5•15 years ago
|
||
(In reply to comment #4) > Carsten: chance this was a fluke? Renominate if you can reproduce. > yeah unfortuanly able to reproduce using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100112 Shiretoko/3.5.8pre and same !exploitable output :( (df4.b0c): Access violation - code c0000005 (!!! second chance !!!) eax=0642e67c ebx=7ffdf000 ecx=04e91670 edx=dddddddd esi=00d1ab00 edi=00240000 eip=033a2ab0 esp=0012efd4 ebp=0012efe4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 *** WARNING: Unable to verify checksum for c:\work\mozilla\builds\1.9.1\mozilla\ firefox-debug\dist\bin\components\imglib2.dll imglib2!imgContainer::GetFrameAt+0x140: 033a2ab0 8b4204 mov eax,dword ptr [edx+4] ds:0023:dddddde1=???????? Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address control s Code Flow starting at imglib2!imgContainer::GetFrameAt+0x0000000000000140 (Has h=0x19294b71.0x5538053c) The data from the faulting address is later used as the target for a branch. ChildEBP RetAddr 0012efe4 033c4deb imglib2!imgContainer::GetFrameAt+0x140 0012f3a4 033c4510 imglib2!nsJPEGDecoder::ProcessData+0x8ab 0012f3c0 002cb21a imglib2!ReadDataOut+0x20 0012f3e8 033c44bd xpcom_core!nsStringInputStream::ReadSegments+0xda 0012f408 033bc7c2 imglib2!nsJPEGDecoder::WriteFrom+0x7d 0012f724 0133c174 imglib2!imgRequest::OnDataAvailable+0x802 0012f7a8 0133b2ea necko!nsMultiMixedConv::SendData+0x1d4 0012f84c 033adc7a necko!nsMultiMixedConv::OnDataAvailable+0x78a 0012f870 01301410 imglib2!ProxyListener::OnDataAvailable+0x4a 0012f8c8 013a41ce necko!nsStreamListenerTee::OnDataAvailable+0x1f0 0012f918 012f772d necko!nsHttpChannel::OnDataAvailable+0x25e 0012f988 012f7330 necko!nsInputStreamPump::OnStateTransfer+0x23d 0012f998 002e3ffa necko!nsInputStreamPump::OnInputStreamReady+0x80 0012f9ac 0030601a xpcom_core!nsInputStreamReadyEvent::Run+0x4a 0012f9e8 00296b63 xpcom_core!nsThread::ProcessNextEvent+0x1fa 0012fa04 01e1f85d xpcom_core!NS_ProcessNextEvent_P+0x53 0012fa18 020342db gkwidget!nsBaseAppShell::Run+0x5d 0012fa2c 1000d020 tkitcmps!nsAppStartup::Run+0x6b 0012fed0 00401ac2 xul!XRE_main+0x3000 0012ff34 00401289 firefox!NS_internal_main+0x2b2 quit:
blocking1.9.1: - → ?
Reporter | ||
Comment 6•15 years ago
|
||
joe: if it helps, the steps to reproduce for comment #5 were - loading http://217.24.53.18/ - if it does not crash after a few seconds - reload the page and it crashes here within seconds
Comment 7•15 years ago
|
||
no crash for me on 3.6 rc1 bits. Mozilla/5.0 (Windows; U; Windows NT 5.1; es-CL; rv:1.9.2) Gecko/20100105 Firefox/3.6 tomcat, can you post a breakpad crash report so we can look for related signatures?
Reporter | ||
Comment 8•15 years ago
|
||
(In reply to comment #7) > no crash for me on 3.6 rc1 bits. > > Mozilla/5.0 (Windows; U; Windows NT 5.1; es-CL; rv:1.9.2) Gecko/20100105 > Firefox/3.6 > > tomcat, can you post a breakpad crash report so we can look for related > signatures? Hi Chris this crash seem to be 1.9.1/1.9.0 specific and also only on debug - was not able to reproduce this on a 1.9.1 opt build - but on debug build
Reporter | ||
Comment 9•15 years ago
|
||
note also on 1.9.2 debug builds this site triggers: WARNING: imgContainer::Notify() Frame is passed decoded frame: file c:/work/moz illa/builds/1.9.2/mozilla/modules/libpr0n/src/imgContainer.cpp, line 1005
Comment 10•15 years ago
|
||
ok, these two signatures look like what we are after. [@ imgContainer::GetFrameAt(unsigned int, gfxIImageFrame**) ] [@ _purecall | imgContainer::GetFrameAt(unsigned int, gfxIImageFrame**) ] http://crash-stats.mozilla.com/query/query?version=ALL%3AALL&date=&range_value=1&range_unit=weeks&query_search=signature&query_type=contains&query=imgContainer%3A%3AGetFrameAt&build_id=&do_query=1 Correlation to releases checking --- 20100111-crashdata.csv imgContainer::GetFrameAt release total-crashes imgContainer::GetFrameAt crashes pct. all 223372 27 0.000120875 3.0.15 2063 1 0.000484731 3.0.16 3888 0 3.5.5 5741 0 3.5.6 13189 0 3.5.7 107869 11 0.000101976 3.6 15796 0 3.6b5 11261 0 3.6b4 1454 0 3.6b3 572 0 3.6b2 700 0 3.6b1 1917 0 all releases 2 3.0 2 3.0.1 1 3.0.10 1 3.0.14 1 3.0.15 8 3.0.17 1 3.0.4 11 3.5.7 os breakdown 9 0.333333 Windows NT5.1.2600 Service Pack 3 5 0.185185 Windows NT5.1.2600 Service Pack 2 3 0.111111 Windows NT6.0.6002 Service Pack 2 3 0.111111 Mac OS X10.5.8 9L31a 2 0.0740741 Windows NT5.2.3790 Service Pack 2 2 0.0740741 Mac OS X10.6.2 10C540 1 0.037037 Windows NT6.1.7600 1 0.037037 Windows NT5.1.2600 Dodatek Service Pack 3 1 0.037037 Mac OS X10.5.2 9C2028
Summary: Crash @ imglib2!imgContainer::GetFrameAt+0x0000000000000140 → Crash [@ imgContainer::GetFrameAt(unsigned int, gfxIImageFrame**) ] @ imglib2!imgContainer::GetFrameAt+0x0000000000000140
Comment 11•15 years ago
|
||
running at 13-50 crashes per day, with the mean at about 25 per day for 12/1-1/11. we should keep an eye out. if numbers increase that might mean someone has found a reproducible way to tickle/exploit this. here are the places that people have hit the crash with an optimized build more than twice over the last 8 weeks. some of these seem to be behind auth/popup blocking. maybe that's involved??? 46 http://flsmithdepot.dyndns.org/zm/index.php?view=montage&group=0 9 http://217.24.53.18/ 7 http://192.168.2.101/zm/index.php 6 https://www.parentwatch.com/centers/video/default_NS.asp?ncar=5969&resolution=1 6 http://www.wilmotmountain.com/subpage.asp?page=experience&type=webcams 6 http://win-securityspy.beminc.com:8000/++viewlive?cameraNum=0&cameraNum=22&viewMethod=0&imageSize=0&submit=Go&javaOK=&65773 6 http://192.168.13.35:5350/ 5 http://www.pcove.com/webcam.htm 5 http://192.168.1.200:8765/++viewlive?cameraNum=1&cameraNum=2&cameraNum=3&cameraNum=4&viewMethod=4&imageSize=640x480&submit=Go&javaOK=&18175 4 http://www.crtvg.es/ 4 http://playita.servebeer.com/index.php?view=montage&group=0 4 http://192.168.2.101/zm/index.php?view=montage&group=0 4 http://192.168.0.108/ 3 http://www.spiegel.de/ 3 http://www.manzaneda.com/index.php?sec=estacion&ap=parte_nieve 3 http://www.facebook.com/home.php?filter=lf 3 http://oglobo.globo.com/ 3 http://lechamp1.darktech.org:8150/en/mjpgmain.asp 3 http://ebizpowerhouse.dynalias.com/CgiStart?page=Single&Language=0 3 http://149.119.81.124/view/view.shtml
Comment 12•15 years ago
|
||
Debug only, not blocking but we'd take a patch and should keep our eyes out for it.
blocking1.9.1: ? → -
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → joe
Assignee | ||
Updated•14 years ago
|
Whiteboard: [sg:critical?][crashkill][crash-automation] fix-range-wanted → [sg:critical?][crashkill][crash-automation] fix-range-wanted [eta 2010-05-14]
Updated•14 years ago
|
Whiteboard: [sg:critical?][crashkill][crash-automation] fix-range-wanted [eta 2010-05-14] → [sg:critical?][crashkill][crash-automation] fix-range-wanted [eta 2010-05-14][critsmash:patch]
Assignee | ||
Comment 15•14 years ago
|
||
Boris is right!
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Updated•14 years ago
|
status1.9.2:
--- → unaffected
Whiteboard: [sg:critical?][crashkill][crash-automation] fix-range-wanted [eta 2010-05-14][critsmash:patch] → [sg:dupe 524921][crashkill][crash-automation] fix-range-wanted [eta 2010-05-14][critsmash:patch]
Assignee | ||
Updated•14 years ago
|
status2.0:
--- → unaffected
Updated•14 years ago
|
Whiteboard: [sg:dupe 524921][crashkill][crash-automation] fix-range-wanted [eta 2010-05-14][critsmash:patch] → [sg:dupe 524921][crashkill][crash-automation] fix-range-wanted [eta 2010-05-14][critsmash:resolved]
Updated•14 years ago
|
Group: core-security
Updated•14 years ago
|
Updated•13 years ago
|
Crash Signature: [@ imgContainer::GetFrameAt(unsigned int, gfxIImageFrame**) ]
Updated•9 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•