Closed
Bug 580874
Opened 14 years ago
Closed 14 years ago
crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ] [@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(blocking2.0 beta3+)
RESOLVED
DUPLICATE
of bug 575836
Tracking | Status | |
---|---|---|
blocking2.0 | --- | beta3+ |
People
(Reporter: al_9x, Assigned: benjamin)
References
()
Details
(Keywords: crash, regression, Whiteboard: [sg:dupe 575836])
Crash Data
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7
new profile, default settings, no extensions
no crash in 3.6.6
Reproducible: Always
Comment 2•14 years ago
|
||
Confirmed, the page loads in 3.6.6, and it consistently crashes on 3.6.7, using QT 7.6.6.0.
http://crash-stats.mozilla.com/report/index/f977caff-3bfc-4dd6-9afb-be9582100721
Status: UNCONFIRMED → NEW
blocking1.9.2: --- → ?
Ever confirmed: true
Keywords: regression
Summary: Fx 3.6.7 regression: page with quicktime crashes Fx → crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ]
Signature strlen | nsACString_internal::Assign(char const*, unsigned int)
UUID f977caff-3bfc-4dd6-9afb-be9582100721
Time 2010-07-21 22:33:16.106393
Uptime 15
Install Age 1115 seconds (18.6 minutes) since version was first installed.
Product Firefox
Version 3.6.7
Build ID 20100713130626
Branch 1.9.2
OS Windows NT
OS Version 5.1.2600 Service Pack 3
CPU x86
CPU Info GenuineIntel family 6 model 23 stepping 6
Crash Reason EXCEPTION_ACCESS_VIOLATION
Crash Address 0x464
User Comments open keynotes on itunes, crash
Processor Notes
EMCheckCompatibility False
Crashing Thread
Frame Module Signature [Expand] Source
0 mozcrt19.dll strlen strlen.asm:81
1 xul.dll nsACString_internal::Assign xpcom/string/src/nsTSubstring.cpp:352
2 xul.dll nsCString::nsCString obj-firefox/dist/include/nsTString.h:86
3 xul.dll mozilla::plugins::NullableString obj-firefox/dist/include/mozilla/plugins/PluginMessageUtils.h:256
npqtplugin.dll 7.6.6.0 CC100D73B2F7483198E611E7D32B679D1 npqtplugin.pdb
Severity: normal → critical
Component: Security → Plug-ins
Keywords: crash
Product: Firefox → Core
QA Contact: firefox → plugins
Version: unspecified → 1.9.2 Branch
Assignee | ||
Comment 4•14 years ago
|
||
cjones, did you happen to change serialization or something related between 3.6.6 and 3.6.7?
Assignee: nobody → benjamin
Assignee | ||
Comment 5•14 years ago
|
||
Hrm, I got http://crash-stats.mozilla.com/report/index/da4fa239-c30c-4b6c-babf-a70cd2100722 which is [@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]
Assignee | ||
Comment 6•14 years ago
|
||
But I have it in recording, and so this is probably the same as bug 581020.
Blocks: 581020
Assignee | ||
Comment 7•14 years ago
|
||
This is caused by a logical mismatch in nsPluginInstanceOwner::EnsureCachedAttrParamArrays
http://mxr.mozilla.org/mozilla1.9.2/source/layout/generic/nsObjectFrame.cpp?mark=3590-3595,3651-3655#3584
If there is a data="" parameter, the block at 3590 will increment mNumCachedAttrs but data is an empty string. The condition at 3651 will not be true and nextAttrParamIndex will become out of sync with reality.
This logic error was made worse in bug 572985 because the subsequent hunks for cached param values are now using nextAttrParamIndex and not mNumCachedAttrs + 1 + c.
Blocks: CVE-2010-1214
blocking2.0: --- → beta3+
Assignee | ||
Updated•14 years ago
|
Summary: crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ] → crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ] [@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]
Assignee | ||
Updated•14 years ago
|
Group: core-security
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
No longer blocks: CVE-2010-1214
Updated•14 years ago
|
blocking1.9.2: ? → ---
Whiteboard: [sg:dupe 575836]
Updated•14 years ago
|
Blocks: CVE-2010-1214
Updated•14 years ago
|
Whiteboard: [sg:dupe 575836] → [sg:dupe 575836][regression-from: 572985]
Comment 10•14 years ago
|
||
I see no crash at http://itunes.apple.com/us/podcast/apple-keynotes/id275834665 on 1.9.1.11 on OS X 10.6.
Updated•14 years ago
|
Whiteboard: [sg:dupe 575836][regression-from: 572985] → [sg:dupe 575836]
Comment 11•14 years ago
|
||
NM, wrong bug.
Updated•14 years ago
|
Group: core-security
Updated•13 years ago
|
Crash Signature: [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ]
[@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]
Updated•3 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•