QuickTime 7.6.6 - Non-aligned pointer|Invalid read|write

RESOLVED WORKSFORME

Status

Plugins Graveyard
QuickTime (Apple)
RESOLVED WORKSFORME
7 years ago
2 years ago

People

(Reporter: bc, Unassigned)

Tracking

(Blocks: 1 bug, {crash})

x86
Mac OS X
crash

Details

(Whiteboard: [sg:vector-critical (quicktime)], URL)

Attachments

(2 attachments)

(Reporter)

Description

7 years ago
Created attachment 464829 [details]
gdb log

1. http://www.brideaccess.com/vendor-list?category_id=13
2. firefox-bin(76654,0xa013a720) malloc: *** error for object 0x77afbd27: Non-aligned pointer being freed

I originally saw this due to a crash:

Operating system: Mac OS X
                  10.5.8 9L34
CPU: x86
     GenuineIntel family 6 model 26 stepping 5
     1 CPU

Crash reason:  EXC_BAD_ACCESS / KERN_INVALID_ADDRESS
Crash address: 0xffffffff80808080

Thread 0 (crashed)
 0  libmozjs.dylib!JS_TraceChildren [jsgc.cpp : 2384 + 0x5]
    eip = 0x002ef242   esp = 0xbfff5090   ebp = 0xbfff50c8   ebx = 0x002ef208
    esi = 0x00000000   edi = 0x00000008   eax = 0x80808080   ecx = 0x00000021
    edx = 0xbfff50f8   efl = 0x00210282

but that may just be due to quicktime trashing memory.
(Reporter)

Comment 1

7 years ago
Created attachment 464830 [details]
valgrind log
(Reporter)

Comment 2

7 years ago
fyi: I've now seen this twice in jseng with stacks looking like:

JS_TraceChildren JS_CallTracer js_TraceObject JS_TraceChildren JS_CallTracer

JS_TraceChildren JS_CallTracer JSScopeProperty::trace JSScope::trace js_TraceObject

I haven't been able to reproduce locally though.
(Reporter)

Comment 3

6 years ago
Can not reproduce with QuickTime 7.7 on Mac OS X 10.5 (crash or valgrind message) or Windows or QuickTime 10.0 on Mac OS X 10.6. I think the content has changed though so that the original issue is not being tested. None the less, also considering tracemonkey is no more I think this is wfm.
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WORKSFORME
(Assignee)

Updated

2 years ago
Product: Plugins → Plugins Graveyard
You need to log in before you can comment on or make changes to this bug.