Closed Bug 580874 Opened 14 years ago Closed 14 years ago

crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ] [@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]

Categories

(Core Graveyard :: Plug-ins, defect)

1.9.2 Branch
x86
Windows XP
defect
Not set
critical

Tracking

(blocking2.0 beta3+)

RESOLVED DUPLICATE of bug 575836
Tracking Status
blocking2.0 --- beta3+

People

(Reporter: al_9x, Assigned: benjamin)

References

()

Details

(Keywords: crash, regression, Whiteboard: [sg:dupe 575836])

Crash Data

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7 new profile, default settings, no extensions no crash in 3.6.6 Reproducible: Always
QuickTime 7.66.71.0
Confirmed, the page loads in 3.6.6, and it consistently crashes on 3.6.7, using QT 7.6.6.0. http://crash-stats.mozilla.com/report/index/f977caff-3bfc-4dd6-9afb-be9582100721
Status: UNCONFIRMED → NEW
blocking1.9.2: --- → ?
Ever confirmed: true
Keywords: regression
Summary: Fx 3.6.7 regression: page with quicktime crashes Fx → crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ]
Signature strlen | nsACString_internal::Assign(char const*, unsigned int) UUID f977caff-3bfc-4dd6-9afb-be9582100721 Time 2010-07-21 22:33:16.106393 Uptime 15 Install Age 1115 seconds (18.6 minutes) since version was first installed. Product Firefox Version 3.6.7 Build ID 20100713130626 Branch 1.9.2 OS Windows NT OS Version 5.1.2600 Service Pack 3 CPU x86 CPU Info GenuineIntel family 6 model 23 stepping 6 Crash Reason EXCEPTION_ACCESS_VIOLATION Crash Address 0x464 User Comments open keynotes on itunes, crash Processor Notes EMCheckCompatibility False Crashing Thread Frame Module Signature [Expand] Source 0 mozcrt19.dll strlen strlen.asm:81 1 xul.dll nsACString_internal::Assign xpcom/string/src/nsTSubstring.cpp:352 2 xul.dll nsCString::nsCString obj-firefox/dist/include/nsTString.h:86 3 xul.dll mozilla::plugins::NullableString obj-firefox/dist/include/mozilla/plugins/PluginMessageUtils.h:256 npqtplugin.dll 7.6.6.0 CC100D73B2F7483198E611E7D32B679D1 npqtplugin.pdb
Severity: normal → critical
Component: Security → Plug-ins
Keywords: crash
Product: Firefox → Core
QA Contact: firefox → plugins
Version: unspecified → 1.9.2 Branch
cjones, did you happen to change serialization or something related between 3.6.6 and 3.6.7?
Assignee: nobody → benjamin
Hrm, I got http://crash-stats.mozilla.com/report/index/da4fa239-c30c-4b6c-babf-a70cd2100722 which is [@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]
But I have it in recording, and so this is probably the same as bug 581020.
Blocks: 581020
This is caused by a logical mismatch in nsPluginInstanceOwner::EnsureCachedAttrParamArrays http://mxr.mozilla.org/mozilla1.9.2/source/layout/generic/nsObjectFrame.cpp?mark=3590-3595,3651-3655#3584 If there is a data="" parameter, the block at 3590 will increment mNumCachedAttrs but data is an empty string. The condition at 3651 will not be true and nextAttrParamIndex will become out of sync with reality. This logic error was made worse in bug 572985 because the subsequent hunks for cached param values are now using nextAttrParamIndex and not mNumCachedAttrs + 1 + c.
blocking2.0: --- → beta3+
Summary: crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ] → crash [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ] [@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]
Group: core-security
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
No longer blocks: CVE-2010-1214
blocking1.9.2: ? → ---
Whiteboard: [sg:dupe 575836]
Whiteboard: [sg:dupe 575836] → [sg:dupe 575836][regression-from: 572985]
Whiteboard: [sg:dupe 575836][regression-from: 572985] → [sg:dupe 575836]
NM, wrong bug.
Group: core-security
Crash Signature: [@ strlen | nsACString_internal::Assign(char const*, unsigned int) ] [@ free | nsPluginInstanceOwner::~nsPluginInstanceOwner() ]
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.