Closed
Bug 580874
Opened 14 years ago
Closed 14 years ago
crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ] [@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(blocking2.0 beta3+)
RESOLVED
DUPLICATE
of bug 575836
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | beta3+ |
People
(Reporter: al_9x, Assigned: benjamin)
References
()
Details
(Keywords: crash, regression, Whiteboard: [sg:dupe 575836])
Crash Data
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7 new profile, default settings, no extensions no crash in 3.6.6 Reproducible: Always
|
||
Comment 2•14 years ago
|
||
Confirmed, the page loads in 3.6.6, and it consistently crashes on 3.6.7, using QT 7.6.6.0. http://crash-stats.mozilla.com/report/index/f977caff-3bfc-4dd6-9afb-be9582100721
Status: UNCONFIRMED → NEW
blocking1.9.2: --- → ?
Ever confirmed: true
Keywords: regression
Summary: Fx 3.6.7 regression: page with quicktime crashes Fx → crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ]
Signature strlen | nsACString_internal::Assign(char const*, unsigned int) UUID f977caff-3bfc-4dd6-9afb-be9582100721 Time 2010-07-21 22:33:16.106393 Uptime 15 Install Age 1115 seconds (18.6 minutes) since version was first installed. Product Firefox Version 3.6.7 Build ID 20100713130626 Branch 1.9.2 OS Windows NT OS Version 5.1.2600 Service Pack 3 CPU x86 CPU Info GenuineIntel family 6 model 23 stepping 6 Crash Reason EXCEPTION_ACCESS_VIOLATION Crash Address 0x464 User Comments open keynotes on itunes, crash Processor Notes EMCheckCompatibility False Crashing Thread Frame Module Signature [Expand] Source 0 mozcrt19.dll strlen strlen.asm:81 1 xul.dll nsACString_internal::Assign xpcom/string/src/nsTSubstring.cpp:352 2 xul.dll nsCString::nsCString obj-firefox/dist/include/nsTString.h:86 3 xul.dll mozilla::plugins::NullableString obj-firefox/dist/include/mozilla/plugins/PluginMessageUtils.h:256 npqtplugin.dll 7.6.6.0 CC100D73B2F7483198E611E7D32B679D1 npqtplugin.pdb
Severity: normal → critical
Component: Security → Plug-ins
Keywords: crash
Product: Firefox → Core
QA Contact: firefox → plugins
Version: unspecified → 1.9.2 Branch
|
Assignee | |
Comment 4•14 years ago
|
||
cjones, did you happen to change serialization or something related between 3.6.6 and 3.6.7?
Assignee: nobody → benjamin
|
|
Assignee | |
Comment 5•14 years ago
|
||
Hrm, I got http://crash-stats.mozilla.com/report/index/da4fa239-c30c-4b6c-babf-a70cd2100722 which is [@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]
|
|
Assignee | |
Comment 6•14 years ago
|
||
But I have it in recording, and so this is probably the same as bug 581020.
Blocks: 581020
|
|
Assignee | |
Comment 7•14 years ago
|
||
This is caused by a logical mismatch in nsPluginInstanceOwner::EnsureCachedAttrParamArrays http://mxr.mozilla.org/mozilla1.9.2/source/layout/generic/nsObjectFrame.cpp?mark=3590-3595,3651-3655#3584 If there is a data="" parameter, the block at 3590 will increment mNumCachedAttrs but data is an empty string. The condition at 3651 will not be true and nextAttrParamIndex will become out of sync with reality. This logic error was made worse in bug 572985 because the subsequent hunks for cached param values are now using nextAttrParamIndex and not mNumCachedAttrs + 1 + c.
Blocks: CVE-2010-1214
blocking2.0: --- → beta3+
|
|
Assignee | |
Updated•14 years ago
|
Summary: crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ] → crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ] [@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]
|
|
Assignee | |
Updated•14 years ago
|
Group: core-security
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
No longer blocks: CVE-2010-1214
|
||
Updated•14 years ago
|
blocking1.9.2: ? → ---
Whiteboard: [sg:dupe 575836]
|
||
Updated•14 years ago
|
Blocks: CVE-2010-1214
|
|
||
Updated•14 years ago
|
Whiteboard: [sg:dupe 575836] → [sg:dupe 575836][regression-from: 572985]
|
||
Comment 10•14 years ago
|
||
I see no crash at http://itunes.apple.com/us/podcast/apple-keynotes/id275834665 on 1.9.1.11 on OS X 10.6.
|
|
||
Updated•14 years ago
|
Whiteboard: [sg:dupe 575836][regression-from: 572985] → [sg:dupe 575836]
|
|
||
Comment 11•14 years ago
|
||
NM, wrong bug.
|
|
||
Updated•14 years ago
|
Group: core-security
|
||
Updated•13 years ago
|
Crash Signature: [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ]
[@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]
|
||
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•