Closed Bug 598532 Opened 14 years ago Closed 8 years ago

Problem crash if I use asx player for listening to music [@ @0x99bb2b03 | UserCallWinProcCheckWow]

Categories

(Plugins Graveyard :: RealPlayer (Real), defect)

12.x
x86
Windows XP
defect
Not set
critical

Tracking

(Not tracked)

RESOLVED INCOMPLETE

People

(Reporter: luisdalva, Unassigned)

Details

(Keywords: crash)

Crash Data

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; pt-PT; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; pt-PT; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10

If I visit a site that uses frame,
And if you had embed a player asx,
Browser crash's, and maybe could run malicious commands ..

Reproducible: Always

Steps to Reproduce:
1. Create a frame pointing to two pages ( Only a FRAME not work with Iframe )
2. Create a valid Asx pointing a streaming music server operating
3. Asx embed a player in one of the pages included in the frame
4. Another page in the frame include some pictures or something that creates a delay to load the media page 2 to 3 seconds ..
Actual Results:  
Browser crach and so can be closed using ctrl + alt + del or restarting the computer, I think it can also be used to download malicious code or create malicious instructions using an exploit ..

Expected Results:  
I do not know if I understand the question, but I think it is one's own error firefox

Main concerns with this bug,
- Migration of people who listen to radio for other browsers
- Possibly Maybe use it for malicious purposes
This is my first sending bug, I'm student I'm 17 years old and am studying "Informatica de Gestão" (Computing Management) in Portugal, I asked my mother permission to send you the vulnerability, I would like to receive some money for this vulnerability have found to help me because I want to make the University of informatics and it would help a lot! I do not care to create videos demonstrating the vulnerability if you want! I think I deserve because I'm two days sleeping late and almost got missing in the morning math lesson for trying to understand why the firefox crached on some sites, if that happens I promise I'll look even more vulnerabilities to make firefox more secure,
Computing is something that I love and not trade my computer for full php code on a computer 10x better without backup's

Windows 7 
4 G Ram
250HD+250HD

Thank you,
Luis Faria
Keywords: crash
Whiteboard: security@mozilla.org
Whiteboard: security@mozilla.org
There is not enough information in this report to reproduce the crash.  If you have a testcase or a URL that causes the crash, please post it here.
Whiteboard: [sg:needinfo]
I have 3 urls having a crash and I have a crash html and asx code,
See here,
www.radiohunter.com.br
www.radioevolutionx.org
www.radiofusion.com.br,
I also know reproduce the problem, causing crash
How can I send a video testcase for you?

Thank You,
Luís Faria
Luís, it's rather annoying for you to go back and re-add the security@mozilla.org email alias from this bug after I removed it.  This does not help bring attention to this bug in any way, and there is a large group of people who recieve mail sent there and I want to reduce the amount of bugmail that gets sent there.  Please don't add it back.

With that said, I will investigate the links you sent to see if I can reproduce the crash.
In the meantime, if there are any links to crash reports saved in your browser, please paste them here.  You can find the crash reports by entering about:config in the location bar.
I loaded all three of the sites you mentioned in comment 2 and none of them caused a crash for me on Windows with Flash installed.  I clicked around a bunch and did not experience any crashes.  Do you have an old version of some plugins installed?  You can check by visiting:
http://www.mozilla.com/plugincheck/
Group: core-security
Whiteboard: [sg:needinfo]
Please put this ticket as necessary to pass confidential information confidential
Is very important to have the information that you need to go put restrict access as quickly as possible !!
I apologize for adding security@mozilla.org but mail is really important information that you have to also pass sensitive information sent to this address in order to make the process faster
OS: Windows 7 → Windows XP
(In reply to comment #4)
> In the meantime, if there are any links to crash reports saved in your browser,
> please paste them here.  You can find the crash reports by entering
> about:config in the location bar.

about:crashes, actually.
(In reply to comment #6)
> Please put this ticket as necessary to pass confidential information
> confidential

What confidential information? Nothing in the bug has needed to be private at all.
of the sites mentioned in comment 2 there are only a few instances of crash reports being sent since the beginning of Sept.

172:crashdata chofmann$ grep www.radiofusion.com.br 201009* | awk -F\t '{print $1,$2}'

20100901-crashdata.csv:UserCallWinProcCheckWow http://www.radiofusion.com.br/player_preto/indexoff.php
20100901-crashdata.csv:UserCallWinProcCheckWow http://www.radiofusion.com.br/player_preto/indexoff.php
20100902-crashdata.csv:urlmon.dll@0x14320 http://www.radiofusion.com.br/player_branco/indexoff.php
20100903-crashdata.csv:@0x0 | wmp.dll@0x1869ce http://www.radiofusion.com.br/
20100903-crashdata.csv:UserCallWinProcCheckWow http://www.radiofusion.com.br/player_branco/indexoff.php
20100905-crashdata.csv:UserCallWinProcCheckWow http://www.radiofusion.com.br/player_branco/indexoff.php
20100905-crashdata.csv:wmp.dll@0x1991e8 http://www.radiofusion.com.br/player_verde/indexoff.php
20100907-crashdata.csv:UserCallWinProcCheckWow http://www.radiofusion.com.br/player_preto/indexoff.php
20100910-crashdata.csv:UserCallWinProcCheckWow http://www.radiofusion.com.br/
20100911-crashdata.csv:UserCallWinProcCheckWow http://www.radiofusion.com.br/player_branco/indexoff.php
20100913-crashdata.csv:UserCallWinProcCheckWow http://www.radiofusion.com.br/
20100914-crashdata.csv:UserCallWinProcCheckWow http://www.radiofusion.com.br/player_branco/index.php
20100916-crashdata.csv:@0x0 | CdxmPlay::CloseGraph(int) http://www.radiofusion.com.br/
20100918-crashdata.csv:@0x0 | urlmon.dll@0x71dc http://www.radiofusion.com.br/player_branco/indexoff.php

172:crashdata chofmann$ grep www.radiohunter.com.br 201009* | awk -F\t '{print $1,$2}'
20100905-crashdata.csv:`anonymous namespace''::TimerExpiredTask::`scalar deleting destructor''(unsigned int) http://www.radiohunter.com.br/data/home/inair/index.php
20100912-crashdata.csv:wmp.dll@0x16eda2 http://www.radiohunter.com.br/data/pages/players/topo/1/stop.php
20100912-crashdata.csv:UserCallWinProcCheckWow http://www.radiohunter.com.br/site/player.php
I need to pass data to ftp you the testcase and download video that shows information on the testcase, I would like to add that this bug is on the newest version of firefox and not in earlier, that if you really want to fix the bug .. .
(In reply to comment #11)
> I need to pass data to ftp you the testcase and download video that shows
> information on the testcase, I would like to add that this bug is on the newest
> version of firefox and not in earlier, that if you really want to fix the bug
> .. .

You can e-mail the FTP details to security@mozilla.org, but the actual discussions should always be held in this bug.
The data were sent ftp please check in the mail security@mozilla.org,

Thank You,
Luis Faria
I downloaded the files from your FTP server and loaded the index file several times and observed no crashes.  Please go to about:crashes and paste any relevant links to crash reports in this bug.
Please see the video I already asked my friends who are using the latest version of Firefox is also the same problem occurs
Firefox 3.6.10 is my version of firefox, attention does not occur in smaller versions to this version or 4 beta releases ..
Use this version to make the test-bug it's the latest available version of firefox 3.6
Luís,  we have asked about this several times.  Do you see the Firefox crash reporter appear when you hit the problem loading your test case, or when you visit the sites you mentioned in comment 2?

If you see the Firefox crash reporter then there should be an entry for the report when you view the web page  

  about:crashes

type this in the location bar of the browser, and paste links for your most recent crash reports in this bug.

Its its also possible that the crash is in the ASX player that you mentioned.  Your crash report will help us to figure that out.   The source and version number of your ASX player might also help to understand why you see the crash and others can not reproduce.
I am sending the log crashs
----------------------------------
ID do Relatório
        	Data de Submissão
    
    bp-d116463a-8478-4c76-88b1-b39542100921	21-09-2010	20:06
bp-8103f654-3cee-44b2-b7d7-65c2a2100921	21-09-2010	20:02
bp-bf74d35c-a8d3-4daa-8275-c11312100920	21-09-2010	00:32
bp-e1a609e4-0ec6-45ae-a976-9d9702100920	20-09-2010	23:59
bp-6e0e19e5-a668-46db-9bba-abd9f2100920	20-09-2010	23:52
-------------
Thank You,
Luís Faria
I found out what the problem, the problem is the plugin RealPlayer Browser Record Plugin 1.1.5 that comes with the RealPlayer software available at http://www.real.com/realplayer, now the question that arises is you create a fix for this or speak with the company for RealPlayer that will fix this problem?

Thank You,
Luís Faria
4/5 of the crashes are this:

Signature	UserCallWinProcCheckWow
UUID	d116463a-8478-4c76-88b1-b39542100921
Time 	2010-09-21 12:06:20.658079
Uptime	17
Last Crash	34 seconds before submission
Install Age	323068 seconds (3.7 days) since version was first installed.
Product	Firefox
Version	3.6.10
Build ID	20100914125854
Branch	1.9.2
OS	Windows NT
OS Version	6.1.7600
CPU	x86
CPU Info	GenuineIntel family 6 model 23 stepping 6
Crash Reason	EXCEPTION_ACCESS_VIOLATION_EXEC
Crash Address	0xffffffff99bb2b03
User Comments	
Processor Notes 	
EMCheckCompatibility	False
Related Bugs

* Bug 585660 UNCONFIRMED Crash after javascript remove Embed (flash or quicktime tested) element [@ UserCallWinProcCheckWow ]
* Bug 516182 VERIFIED DUPLICATE
firefox crashes when I log out of gmail [@UserCallWinProcCheckWow ]
* Bug 590078 RESOLVED DUPLICATE
firefox crashed when I push go back button. [@ UserCallWinProcCheckWow]
* Bug 569498 RESOLVED DUPLICATE
Navigating through pages with embedded PDF documents causes the browser to hang and then crash [@ UserCallWinProcCheckWow ]
* Bug 556483 RESOLVED DUPLICATE
Crash while closing Firefox Window [@ UserCallWinProcCheckWow ]
* Bug 522070 VERIFIED DUPLICATE
Firefox crashes when working with Gmail [@UserCallWinProcCheckWow ]

Crashing Thread
Frame 	Module 	Signature [Expand] 	Source
0 		@0x99bb2b03 	
1 	user32.dll 	UserCallWinProcCheckWow 	
2 	user32.dll 	DispatchClientMessage 	
3 	user32.dll 	__fnDWORD 	
4 	ntdll.dll 	ntdll.dll@0x4642d 	
5 	user32.dll 	RealDefWindowProcW 	
6 	user32.dll 	DefWindowProcW 	
7 	user32.dll 	InternalCallWinProc 	
8 	user32.dll 	UserCallWinProcCheckWow 	
9 	user32.dll 	CallWindowProcAorW 	
10 	user32.dll 	CallWindowProcW 	
11 	xul.dll 	nsWindow::WindowProc 	widget/src/windows/nsWindow.cpp:3732
12 	user32.dll 	InternalCallWinProc 	
13 	user32.dll 	UserCallWinProcCheckWow 	
14 	user32.dll 	DispatchClientMessage 	
15 	user32.dll 	__fnDWORD 	
16 	ntdll.dll 	ntdll.dll@0x4642d 	
17 	user32.dll 	PeekMessageW 	
18 	xul.dll 	nsAppShell::ProcessNextNativeEvent 	widget/src/windows/nsAppShell.cpp:172
19 	xul.dll 	nsBaseAppShell::OnProcessNextEvent 	widget/src/xpwidgets/nsBaseAppShell.cpp:299
20 	xul.dll 	nsThread::ProcessNextEvent 	xpcom/threads/nsThread.cpp:508
21 	xul.dll 	mozilla::ipc::MessagePump::Run 	ipc/glue/MessagePump.cpp:118
22 	xul.dll 	xul.dll@0x9604c7 	
23 	xul.dll 	MessageLoop::RunHandler 	ipc/chromium/src/base/message_loop.cc:199
24 	mozcrt19.dll 	malloc 	obj-firefox/memory/jemalloc/crtsrc/jemalloc.c:5790
25 	xul.dll 	xul.dll@0x2ef303 	
26 	xul.dll 	xul.dll@0x30ab2f 	
27 	firefox.exe 	firefox.exe@0x1b97 	
28 	ntdll.dll 	ntdll.dll@0x1d75c 	
29 	ntdll.dll 	ntdll.dll@0x5b467 	
30 	firefox.exe 	firefox.exe@0x183f 	
31 	firefox.exe 	firefox.exe@0x183f 	

Filename 	Version 	Debug Identifier 	Debug Filename
rpnpshimswf.dll 		E29C62D3EA0D499EBE42594F39C3C6E6c 	rpthinpluginshim.pdb
wmploc.DLL 	12.0.7600.16415 		
wmp.dll 	12.0.7600.16415 	C0C33E5C2324484795DBA237061E931B2 	wmp_notestroot.pdb
mf.dll 	12.0.7600.16385 	2937C674291E484FA338CE3EB2021C412 	mf.pdb
rpmainbrowserrecordplugin.dll 	12.0.1.455 	019CC31E6CC84A0AA0DE85C99EDD38AA1f 	rpmainbrowserrecordplugin.pdb
rpnpshimwmp.dll 		E29C62D3EA0D499EBE42594F39C3C6E6c 	rpthinpluginshim.pdb
nprpffbrowserrecordext.dll 		386963E89A0441898398B91FBD5BED248 	nprpffbrowserrecordext.pdb
rpchromebrowserrecordhelper.dll 		20B225090DB44E6A91B26BDCCB25F1A27 	rpchromebrowserrecordhelper.pdb
mfps.dll 	12.0.7600.16385 	54AC71FB480C45D1B0CBE87FE3B4C3B32 	MFPS.pdb
np-mswmp.dll 	1.0.0.8 	1150E443A97A459B8D2023ECA2594F3E1 	np-mswmp.pdb
sfShellTools.dll 	1.0.24.0 	35733B500EE042A0917D3CDB804633CE1 	sfShellTools.pdb

As the last frame isn't ours, I don't think we can fix this.
Component: General → RealPlayer (Real)
Product: Firefox → Plugins
QA Contact: general → real-player
Summary: Problem crash if I use asx player for listening to music, Critical Problem → Problem crash if I use asx player for listening to music [@ @0x99bb2b03 | UserCallWinProcCheckWow]
Version: unspecified → 12.x
sorry, strike the 4/5 line, all of your crashes are that :)
Crash Signature: [@ @0x99bb2b03 | UserCallWinProcCheckWow]
Closing old bugs in the Plugins component. We aren't going to track issues in 3rd-party plugins in the Mozilla bug tracker. In addition, support for NPAPI plugins will be removed at the end of this year; for more details see the post at https://blog.mozilla.org/futurereleases/2015/10/08/npapi-plugins-in-firefox/

If there is a serious bug in Firefox, it needs to be filed in the "Core" product, "Plug-Ins" component.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
Product: Plugins → Plugins Graveyard
You need to log in before you can comment on or make changes to this bug.