Closed Bug 580874 Opened 10 years ago Closed 10 years ago

crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ] [@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]

Categories

(Core :: Plug-ins, defect)

1.9.2 Branch
x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 575836
Tracking Status
blocking2.0 --- beta3+

People

(Reporter: al_9x, Assigned: benjamin)

References

()

Details

(Keywords: crash, regression, Whiteboard: [sg:dupe 575836])

Crash Data

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7

new profile, default settings, no extensions
no crash in 3.6.6

Reproducible: Always
QuickTime 7.66.71.0
Confirmed, the page loads in 3.6.6, and it consistently crashes on 3.6.7, using QT 7.6.6.0.

http://crash-stats.mozilla.com/report/index/f977caff-3bfc-4dd6-9afb-be9582100721
Status: UNCONFIRMED → NEW
blocking1.9.2: --- → ?
Ever confirmed: true
Keywords: regression
Summary: Fx 3.6.7 regression: page with quicktime crashes Fx → crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ]
Signature	strlen | nsACString_internal::Assign(char const*, unsigned int)
UUID	f977caff-3bfc-4dd6-9afb-be9582100721
Time 	2010-07-21 22:33:16.106393
Uptime	15
Install Age	1115 seconds (18.6 minutes) since version was first installed.
Product	Firefox
Version	3.6.7
Build ID	20100713130626
Branch	1.9.2
OS	Windows NT
OS Version	5.1.2600 Service Pack 3
CPU	x86
CPU Info	GenuineIntel family 6 model 23 stepping 6
Crash Reason	EXCEPTION_ACCESS_VIOLATION
Crash Address	0x464
User Comments	open keynotes on itunes, crash
Processor Notes 	
EMCheckCompatibility	False

Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 	mozcrt19.dll 	strlen 	strlen.asm:81
1 	xul.dll 	nsACString_internal::Assign 	xpcom/string/src/nsTSubstring.cpp:352
2 	xul.dll 	nsCString::nsCString 	obj-firefox/dist/include/nsTString.h:86
3 	xul.dll 	mozilla::plugins::NullableString 	obj-firefox/dist/include/mozilla/plugins/PluginMessageUtils.h:256

npqtplugin.dll  	7.6.6.0  	CC100D73B2F7483198E611E7D32B679D1  	npqtplugin.pdb
Severity: normal → critical
Component: Security → Plug-ins
Keywords: crash
Product: Firefox → Core
QA Contact: firefox → plugins
Version: unspecified → 1.9.2 Branch
cjones, did you happen to change serialization or something related between 3.6.6 and 3.6.7?
Assignee: nobody → benjamin
Hrm, I got http://crash-stats.mozilla.com/report/index/da4fa239-c30c-4b6c-babf-a70cd2100722 which is [@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]
But I have it in recording, and so this is probably the same as bug 581020.
Blocks: 581020
This is caused by a logical mismatch in nsPluginInstanceOwner::EnsureCachedAttrParamArrays

http://mxr.mozilla.org/mozilla1.9.2/source/layout/generic/nsObjectFrame.cpp?mark=3590-3595,3651-3655#3584

If there is a data="" parameter, the block at 3590 will increment mNumCachedAttrs but data is an empty string. The condition at 3651 will not be true and nextAttrParamIndex will become out of sync with reality.

This logic error was made worse in bug 572985 because the subsequent hunks for cached param values are now using nextAttrParamIndex and not mNumCachedAttrs + 1 + c.
blocking2.0: --- → beta3+
Summary: crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ] → crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ] [@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]
Duplicate of this bug: 581020
Group: core-security
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2010-2755
No longer blocks: CVE-2010-1214
blocking1.9.2: ? → ---
Whiteboard: [sg:dupe 575836]
Whiteboard: [sg:dupe 575836] → [sg:dupe 575836][regression-from: 572985]
Whiteboard: [sg:dupe 575836][regression-from: 572985] → [sg:dupe 575836]
NM, wrong bug.
Group: core-security
Crash Signature: [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ] [@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]
You need to log in before you can comment on or make changes to this bug.