Buffer overflow on TextRun.

NEW
Unassigned

Status

()

P3
critical
8 years ago
a year ago

People

(Reporter: info, Unassigned)

Tracking

({crash, reproducible, testcase})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos?][oom][gfx-noted])

Attachments

(2 attachments)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.2.13) Gecko/20101203
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.2.13) Gecko/20101203

It seems a serious exception which seems to lead to a buffer overflow that is not caught while we spray loads of nulls unto the stack. It takes around 10 seconds to crash Firefox reliably. Debugging was a bit problematic because of invalid exceptions that were thrown, so I am not sure what is going on here. It could be a flaw in Visual C++ for all I know. 

It's the first time I got a  Microsoft Visual C++ runtime library error popup through Firefox while running the exploit poc. Though the C++ dialog appears sporadic, it usually crashes with the crash report dialog nine out of ten times. I am still figuring out if it is exploitable, but on a quick look of it seems we can control SEH records, which can lead to a remote compromise and code execution. 

I set this bug to hidden from the public. Feel free to change the status when you feel fit. Any comments are greatly appreciated. 

/sasha

Reproducible: Always

Steps to Reproduce:
1. fire up attached poc
2. hit the button
3. wait.
Actual Results:  
Firefox crashed, sporadic Microsoft Visual C++ runtime library error.

Expected Results:  
Better (invalid) exception handling.

================================================================================
Stack trace
================================================================================
EAX 0117FE20
ECX 00000000
EDX 7C90E514 ntdll.KiFastSystemCallRet
EBX 00813480
ESP 0117FE1C
EBP 0117FE70
ESI 0117FEA8
EDI 00813494
EIP 7C812AFB kernel32.7C812AFB
C 0  ES 0023 32bit 0(FFFFFFFF)
P 0  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDD000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty 7.7475472610828490000e-304
ST1 empty -1.6066695911453612000e+290
ST2 empty -2.0152844516029100000e+265
ST3 empty 1.0992723545765068000e+292
ST4 empty 7.1203789454049460000e-307
ST5 empty 4.9406564584124654000e-324
ST6 empty -1.4397035751734502000e-173
ST7 empty 1.2519775166695107000e-312
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

================================================================================

0117FE1C   00813480  €4. ; <--------- EAX, EBX
0117FE20   406D1388  ˆm@ ; <--------- EAX
0117FE24   00000000  .... ; <--------- ECX
0117FE28   00000000  ....
0117FE2C   7C812AFB  û*|  RETURN to kernel32.7C812AFB from ntdll.RtlRaiseException ;  <--------- EIP
0117FE30   00000004  ...
0117FE34   00001000  ...
0117FE38   00813498  ˜4.  ASCII "Gecko_IOThread"
0117FE3C   00000EEC  ì..
0117FE40   00000000  ....
0117FE44   00000001  ...
0117FE48   00813570  p5.
0117FE4C   EED329F7  ÷)Óî
0117FE50   00813540  @5.
0117FE54   0117FEE0  àþ
0117FE58   1023A233  3¢#  RETURN to xul.1023A233 from <JMP.&MOZCRT19.??2@YAPAXI@Z>
0117FE5C   0117FE90  þ
0117FE60   1023A1ED  í¡#  RETURN to xul.1023A1ED from kernel32.CreateIoCompletionPort
0117FE64   FFFFFFFF  ÿÿÿÿ
0117FE68   000000F4  ô...
0117FE6C   0117FE90  þ
0117FE70  /0117FEC0  Àþ
0117FE74  |1031AB46  F«1  RETURN to xul.1031AB46 from kernel32.RaiseException
0117FE78  |406D1388  ˆm@
0117FE7C  |00000000  ....
0117FE80  |00000004  ...
0117FE84  |0117FE98  ˜þ
0117FE88  |EED3295F  _)Óî
0117FE8C  |00813494  ”4.
0117FE90  |00813480  €4.
0117FE94  |00813480  €4.
0117FE98  |00001000  ...
0117FE9C  |00813498  ˜4.  ASCII "Gecko_IOThread"
0117FEA0  |00000EEC  ì..
0117FEA4  |00000000  ....
0117FEA8  |0117FE88  ˆþ
0117FEAC  |894694E8  è”F‰
0117FEB0  |0117FFA4  ¤ÿ  Pointer to next SEH record
0117FEB4  |102F05B4  ´/  SE handler
0117FEB8  |FF622C8F  ,bÿ
0117FEBC  |00000000  ....
0117FEC0  ]0117FFB0  °ÿ
0117FEC4  |10229F90  Ÿ"  RETURN to xul.10229F90 from xul.1023F2DE
0117FEC8  |00813498  ˜4.  ASCII "Gecko_IOThread"
0117FECC  |EED3294F  O)Óî
0117FED0  |0012F8F8  øø.
0117FED4  |7C96FC28  (ü–|  RETURN to ntdll.7C96FC28 from ntdll.RtlLeaveCriticalSection
0117FED8  |00813480  €4.
0117FEDC  |B33A3BDC  Ü;:³
0117FEE0  |10A6498C  ŒI¦  xul.10A6498C
0117FEE4  |00000002  ...
0117FEE8  |00000000  ....
0117FEEC  |00000000  ....
0117FEF0  |00000000  ....
0117FEF4  |00000000  ....
0117FEF8  |00000000  ....
0117FEFC  |B33A3BF8  ø;:³
0117FF00  |00000000  ....
0117FF04  |00000000  ....
0117FF08  |00000000  ....
0117FF0C  |00000287  ‡..
0117FF10  |8063A0A4  ¤ c€
0117FF14  |00000000  ....
0117FF18  |00000000  ....
0117FF1C  |00000000  ....
0117FF20  |00000000  ....
0117FF24  |00813540  @5.
0117FF28  |B33A3D08  =:³
0117FF2C  |00000000  ....
0117FF30  |00000000  ....
0117FF34  |00000000  ....
0117FF38  |00000000  ....
0117FF3C  |00000000  ....
0117FF40  |7FFD0001  .ý  ASCII 

"??????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????
??"...
0117FF44  |B33A3C84  „<:³
0117FF48  |80500C00  ..P€
0117FF4C  |00780010  .x.
0117FF50  |00000008  ...
0117FF54  |00000000  ....
0117FF58  |00000000  ....
0117FF5C  |0000000F  ...
0117FF60  |00000000  ....
0117FF64  |00000001  ...
0117FF68  |00000000  ....
0117FF6C  |00000000  ....
0117FF70  |00000000  ....
0117FF74  |00000000  ....
0117FF78  |00165498  ˜T.
0117FF7C  |FFFFFFFF  ÿÿÿÿ
0117FF80  |00000000  ....
0117FF84  |00000000  ....
0117FF88  |00000000  ....
0117FF8C  |00000000  ....
0117FF90  |00000000  ....
0117FF94  |00000000  ....
0117FF98  |00000000  ....
0117FF9C  |EED32943  C)Óî
0117FFA0  |80500C8A  Š.P€
0117FFA4  |0117FFDC  Üÿ  Pointer to next SEH record
0117FFA8  |1030CB46  FË0  SE handler
0117FFAC  |00000000  ....
0117FFB0  \0117FFEC  ìÿ
0117FFB4   1023F307  ó#  RETURN to xul.1023F307
0117FFB8   7C80B729  )·€|  RETURN to kernel32.7C80B729
0117FFBC   00813480  €4.
0117FFC0   0012F8F8  øø.
0117FFC4   7C96FC28  (ü–|  RETURN to ntdll.7C96FC28 from ntdll.RtlLeaveCriticalSection
0117FFC8   00813480  €4.
0117FFCC   7FFDD000  .Ðý
0117FFD0   8A532600  .&SŠ
0117FFD4   0117FFC0  Àÿ
0117FFD8   89C643F0  ðCƉ
0117FFDC   FFFFFFFF  ÿÿÿÿ  End of SEH chain
0117FFE0   7C839AD8  Øšƒ|  SE handler
0117FFE4   7C80B730  0·€|  kernel32.7C80B730
0117FFE8   00000000  ....
0117FFEC   00000000  ....
0117FFF0   00000000  ....
0117FFF4   1023F2FE  þò#  xul.1023F2FE
0117FFF8   00813480  €4.
0117FFFC   00000000  ....
================================================================================

On another instance:

7815C5AF   68 98B51A78      PUSH MOZCRT19.781AB598    ; ASCII "Attempted a typeid of NULL pointer!"
7815C5E7   68 74B51A78      PUSH MOZCRT19.781AB574    ; ASCII "Bad read pointer - no RTTI data!"
7815C612   68 50B51A78      PUSH MOZCRT19.781AB550    ; ASCII "Access violation - no RTTI data!"

================================================================================


WINDBG TRACE. (Behold the mess below)


================================================================================

1:011> g
ModLoad: 02ad0000 02af6000   C:\Program Files\Mozilla Firefox\softokn3.dll
ModLoad: 03440000 03458000   C:\Program Files\Mozilla Firefox\nssdbm3.dll
ModLoad: 03460000 034a1000   C:\Program Files\Mozilla Firefox\freebl3.dll
ModLoad: 03a00000 03a52000   C:\Program Files\Mozilla Firefox\nssckbi.dll
ModLoad: 73b30000 73b45000   C:\WINDOWS\system32\mscms.dll
ModLoad: 76fc0000 76fc6000   C:\WINDOWS\system32\rasadhlp.dll
ModLoad: 77690000 776b1000   C:\WINDOWS\system32\NTMARTA.DLL
ModLoad: 71bf0000 71c03000   C:\WINDOWS\system32\SAMLIB.dll
ModLoad: 72d20000 72d29000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 76c30000 76c5e000   C:\WINDOWS\system32\WINTRUST.dll
ModLoad: 77a80000 77b15000   C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77b20000 77b32000   C:\WINDOWS\system32\MSASN1.dll
ModLoad: 76c90000 76cb8000   C:\WINDOWS\system32\IMAGEHLP.dll
ModLoad: 72d20000 72d29000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 72d10000 72d18000   C:\WINDOWS\system32\msacm32.drv
ModLoad: 77be0000 77bf5000   C:\WINDOWS\system32\MSACM32.dll
ModLoad: 02010000 02029000   C:\WINDOWS\system32\vct3216.acm
ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
ModLoad: 77a20000 77a74000   C:\WINDOWS\System32\cscui.dll
ModLoad: 76600000 7661d000   C:\WINDOWS\System32\CSCDLL.dll
ModLoad: 75f80000 7607d000   C:\WINDOWS\system32\browseui.dll
ModLoad: 76990000 769b5000   C:\WINDOWS\system32\ntshrui.dll
ModLoad: 76b20000 76b31000   C:\WINDOWS\system32\ATL.DLL
ModLoad: 7e290000 7e401000   C:\WINDOWS\system32\SHDOCVW.dll
ModLoad: 754d0000 75550000   C:\WINDOWS\system32\CRYPTUI.dll
ModLoad: 3d930000 3da16000   C:\WINDOWS\system32\WININET.dll
ModLoad: 043b0000 043b9000   C:\WINDOWS\system32\Normaliz.dll
ModLoad: 74e30000 74e9d000   C:\WINDOWS\system32\RichEd20.dll
ModLoad: 76980000 76988000   C:\WINDOWS\system32\LINKINFO.dll

===============================================================

(5bc.f9c): C++ EH exception - code e06d7363 (first chance)
(5bc.f9c): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=0012a7dc ebx=109aa3ac ecx=00000000 edx=781d7ba8 esi=0012a864 edi=02faf06f
eip=7c812afb esp=0012a7d8 ebp=0012a82c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
kernel32!RaiseException+0x53:
7c812afb 5e              pop     esi

===============================================================

0:000> !exchain

0012f5b4: xul!__SEH_epilog4_GS+9758 (1030e788)
0012f6c4: xul!__SEH_epilog4_GS+bd10 (10310d40)
0012f704: xul!__SEH_epilog4_GS+bf82 (10310fb2)
0012f790: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012f7e4: USER32!_except_handler3+0 (7e44048f)
0012f9ac: xul!__SEH_epilog4_GS+bd10 (10310d40)
0012f9ec: xul!__SEH_epilog4_GS+bf82 (10310fb2)
0012fa78: USER32!_except_handler3+0 (7e44048f)
  CRT scope  0, func:   USER32!UserCallWinProcCheckWow+155 (7e44ac6b)
0012fad8: USER32!_except_handler3+0 (7e44048f)
0012fc2c: xul!_except_handler4+0 (102f05b4)
  CRT scope  0, filter: xul!MessageLoop::RunHandler+1be843 (103e8890)
                func:   xul!MessageLoop::RunHandler+1be84f (103e889c)
0012fc68: xul!__SEH_epilog4_GS+7aee (1030cb1e)
0012ffb0: firefox!_except_handler4+0 (00401b98)
  CRT scope  0, filter: firefox!__tmainCRTStartup+16a (004016da)
                func:   firefox!__tmainCRTStartup+17f (004016ef)
0012ffe0: kernel32!_except_handler3+0 (7c839ad8)
  CRT scope  0, filter: kernel32!BaseProcessStart+29 (7c8438ea)
                func:   kernel32!BaseProcessStart+3a (7c843900)
Invalid exception stack at ffffffff

===============================================================

0:000> |* ~* kp

.  0  Id: 5bc.f9c Suspend: 1 Teb: 7ffdf000 Unfrozen
ChildEBP RetAddr  
0012a82c 7815c52b kernel32!RaiseException+0x53
0012a864 78164f13 MOZCRT19!_CxxThrowException(void * pExceptionObject = 0x0012a874, struct _s__ThrowInfo * pThrowInfo = 0x781caa34)+0x46 

[f:\sp\vctools\crt_bld\self_x86\crt\prebuild\eh\throw.cpp @ 161]
0012a87c 101980f5 MOZCRT19!operator new(unsigned int size = 0x100f9e65)+0x73 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\obj-firefox\memory\jemalloc\crtsrc\new.cpp @ 61]
0012a898 100f9e65 xul!gfxWindowsFontGroup::MakeTextRun(wchar_t * aString = 0x2e000008 " 

????????????????????????????????????????????????????????????????", unsigned int aLength = 0x2faf06f, struct gfxTextRunFactory::Parameters * 

aParams = 0x0012a90c, unsigned int aFlags = 0x1100101)+0x24 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\gfx\thebes\src\gfxwindowsfonts.cpp @ 1487]
0012aef8 101ba0f2 xul!TextRunWordCache::MakeTextRun(wchar_t * aText = 0x28000008 

"????????????????????????????????????????????????????????????????", unsigned int aLength = 0x2faf06e, class gfxFontGroup * aFontGroup = 

0x00000000, struct gfxTextRunFactory::Parameters * aParams = 0x0012afd0, unsigned int aFlags = 0x1100100)+0x605 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\gfx\thebes\src\gfxtextrunwordcache.cpp @ 685]
0012af20 100fc491 xul!MakeTextRun(wchar_t * aText = 0x28000008 "????????????????????????????????????????????????????????????????", unsigned 

int aLength = 0x2faf06e, class gfxFontGroup * aFontGroup = 0x00000000, struct gfxTextRunFactory::Parameters * aParams = 0x0012afd0, unsigned 

int aFlags = 0x1100100)+0x39 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 493]
0012c424 10110ebc xul!BuildTextRunsScanner::BuildTextRunForFrames(void * aTextBuffer = 0x00000000)+0xae1 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 1840]
0012d454 100e93ba xul!BuildTextRunsScanner::FlushFrames(int aFlushLineBreaks = <Memory access error>, int aSuppressTrailingBreak = 0n0)+0xac 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 1272]
0012d4c8 5ad799fa xul!BuildTextRuns(class gfxContext * aContext = 0x41414141, class nsTextFrame * aForFrame = 0x41414141, class nsIFrame * 

aLineContainer = 0x00000000, class nsLineList_iterator * aForFrameLine = 0x41414141)+0x32a 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 1206]
0012d4e8 5ad77402 uxtheme!_OpenThemeData+0x52
0012d508 10106786 uxtheme!OpenThemeData+0x56
0012d520 1037663f xul!nsNativeThemeWin::ThemeSupportsWidget(class nsPresContext * aPresContext = 0x0080b344, class nsIFrame * aFrame = 

0x00000000, unsigned char aWidgetType = 0x80 '')+0x116 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nsnativethemewin.cpp @ 1741]
0012d578 10132419 xul!nsIFrame::FinishAndStoreOverflow+0x2372df
0012d598 10300926 xul!nsIFrame::InvalidateWithFlags(struct nsRect * aDamageRect = 0x00000294, unsigned int aFlags = 0xb4)+0x59 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsframe.cpp @ 3641]
0012d5a4 1016741b xul!nsIFrame::Invalidate(struct nsRect * aDamageRect = 0x00000294)+0xb 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\obj-firefox\dist\include\nsiframe.h @ 1756]
0012d720 00354e79 xul!nsBlockFrame::ReflowLine(class nsBlockReflowState * aState = 0x0012a7dc, class nsLineList_iterator aLine = class 

nsLineList_iterator, int * aKeepReflowGoing = 0x00002328)+0xdb 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 2479]
0012d788 100e9687 js3250!js_TraceObject(struct JSTracer * trc = <Memory access error>, struct JSObject * obj = <Memory access error>)+0x99 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\js\src\jsobj.cpp @ 5679]
0012d7e4 100f6eb1 xul!nsTextFrame::EnsureTextRun(class gfxContext * aReferenceContext = 0x00000000, class nsIFrame * aLineContainer = 

0x00000000, class nsLineList_iterator * aLine = 0x00000000, unsigned int * aFlowEndInTextRun = 0x0141f4c0)+0xb7 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 2116]
0012d9c4 1014557d xul!nsTextFrame::Reflow(class nsPresContext * aPresContext = 0x02d107d0, struct nsHTMLReflowMetrics * aMetrics = 

0x0012da2c, struct nsHTMLReflowState * aReflowState = 0x0012da70, unsigned int * aStatus = 0x0012db58)+0x241 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 6273]
0012db30 10157671 xul!nsLineLayout::ReflowFrame(class nsIFrame * aFrame = 0x00000000, unsigned int * aReflowStatus = 0x00000000, struct 

nsHTMLReflowMetrics * aMetrics = 0x04a8d9b0, int * aPushedFrame = 0x000003c0)+0x42d 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nslinelayout.cpp @ 848]
0012db6c 1015796d xul!nsBlockFrame::ReflowInlineFrame(class nsBlockReflowState * aState = 0x0012e100, class nsLineLayout * aLineLayout = 

0x04afe8c0, class nsLineList_iterator aLine = class nsLineList_iterator, class nsIFrame * aFrame = 0x0012a7dc, LineReflowStatus * 

aLineReflowStatus = 0x000001e0)+0x31 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 3759]
0012dbc0 101671e2 xul!nsBlockFrame::DoReflowInlineFrames(class nsBlockReflowState * aState = 0x0012e100, class nsLineLayout * aLineLayout = 

0x04afe8c0, class nsLineList_iterator aLine = class nsLineList_iterator, struct nsFlowAreaRect * aFloatAvailableSpace = 0x000001e0, int * 

aAvailableSpaceHeight = 0x00000000, struct nsFloatManager::SavedState * aFloatStateBeforeLine = 0x00000000, int * aKeepReflowGoing = 

0x000001e0, LineReflowStatus * aLineReflowStatus = 0x000001e0, int aAllowPullUp = 0n1073741824)+0xfd 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 3575]
0012dcc4 101673b0 xul!nsBlockFrame::ReflowInlineFrames(class nsBlockReflowState * aState = 0x0012a864, class nsLineList_iterator aLine = 

class nsLineList_iterator, int * aKeepReflowGoing = 0x00000000)+0x1f2 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 3424]
0012dd64 1016573f xul!nsBlockFrame::ReflowLine(class nsBlockReflowState * aState = 0x0012a7dc, class nsLineList_iterator aLine = class 

nsLineList_iterator, int * aKeepReflowGoing = 0x00003ed0)+0x70 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 2463]
0012de10 1014e23d xul!nsBlockFrame::ReflowDirtyLines(class nsBlockReflowState * aState = 0x04a8d9b0)+0x1ef 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 1922]
0012df78 1016ea55 xul!nsBlockFrame::Reflow(class nsPresContext * aPresContext = 0x02d107d0, struct nsHTMLReflowMetrics * aMetrics = 

0x0012e08c, struct nsHTMLReflowState * aReflowState = 0x0012e100, unsigned int * aStatus = 0x0012dfe0)+0x27d 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 993]
0012df9c 101681d4 xul!nsBlockReflowContext::ReflowBlock(struct nsRect * aSpace = 0x00000000, int aApplyTopMargin = 0n1073741824, struct 

nsCollapsingMargin * aPrevMargin = 0x00000000, int aClearance = 0n0, int aIsAdjacentWithTop = 0n0, class nsLineBox * aLine = 0x781d7ba8, 

struct nsHTMLReflowState * aFrameRS = 0x00000000, unsigned int * aFrameReflowStatus = 0x00000000, class nsBlockReflowState * aState = 

0x00000000)+0xd5 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockreflowcontext.cpp @ 311]
0012e250 1016747e xul!nsBlockFrame::ReflowBlockFrame(class nsBlockReflowState * aState = 0x0012e608, class nsLineList_iterator aLine = class 

nsLineList_iterator, int * aKeepReflowGoing = 0x00000000)+0x424 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 3147]
0012e2f4 1016573f xul!nsBlockFrame::ReflowLine(class nsBlockReflowState * aState = 0x0012a7dc, class nsLineList_iterator aLine = class 

nsLineList_iterator, int * aKeepReflowGoing = 0x00004290)+0x13e 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 2408]
0012e3a0 1014e23d xul!nsBlockFrame::ReflowDirtyLines(class nsBlockReflowState * aState = 0x0557ce68)+0x1ef 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 1922]
0012e50c 1017cdad xul!nsBlockFrame::Reflow(class nsPresContext * aPresContext = 0x02d107d0, struct nsHTMLReflowMetrics * aMetrics = 

0x0012e5cc, struct nsHTMLReflowState * aReflowState = 0x0012e608, unsigned int * aStatus = 0x0012e744)+0x27d 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 993]
0012e544 10092887 xul!nsContainerFrame::ReflowChild(class nsIFrame * aKidFrame = 0x00000007, class nsPresContext * aPresContext = 0x00000000, 

struct nsHTMLReflowMetrics * aDesiredSize = 0x042f38a0, struct nsHTMLReflowState * aReflowState = 0x04ea9800, int aX = 0n89262368, int aY = 

0n85807320, unsigned int aFlags = 0x1418400, unsigned int * aStatus = 0x01d83ea4, class nsOverflowContinuationTracker * aTracker = 

0x02d106c0)+0x6d [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nscontainerframe.cpp @ 800]
0012e6b4 1017cdad xul!CanvasFrame::Reflow(class nsPresContext * aPresContext = 0x02d107d0, struct nsHTMLReflowMetrics * aDesiredSize = 

0x0012e84c, struct nsHTMLReflowState * aReflowState = 0x0012e748, unsigned int * aStatus = 0x0012e744)+0x157 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nshtmlframe.cpp @ 553]
0012e6ec 1017cc2f xul!nsContainerFrame::ReflowChild(class nsIFrame * aKidFrame = 0x00000007, class nsPresContext * aPresContext = 0x00000000, 

struct nsHTMLReflowMetrics * aDesiredSize = 0x042f38a0, struct nsHTMLReflowState * aReflowState = 0x04ea9800, int aX = 0n89262368, int aY = 

0n85807320, unsigned int aFlags = 0x1418400, unsigned int * aStatus = 0x01d83ea4, class nsOverflowContinuationTracker * aTracker = 

0x02d106c0)+0x6d [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nscontainerframe.cpp @ 800]
0012e7f8 10088251 xul!nsHTMLScrollFrame::ReflowScrolledFrame(struct ScrollReflowState * aState = 0x02d107d0, int aAssumeHScroll = 0n25203200, 

int aAssumeVScroll = 0n0, struct nsHTMLReflowMetrics * aMetrics = 0x00000000, int aFirstPass = 0n1239576)+0x19f 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsgfxscrollframe.cpp @ 553]
0012e884 1017ea2b xul!nsHTMLScrollFrame::ReflowContents(struct ScrollReflowState * aState = 0x00000000, struct nsHTMLReflowMetrics * 

aDesiredSize = 0x0012a7dc)+0x81 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsgfxscrollframe.cpp @ 640]
0012e954 1017cdad xul!nsHTMLScrollFrame::Reflow(class nsPresContext * aPresContext = 0x02d107d0, struct nsHTMLReflowMetrics * aDesiredSize = 

0x0012e9dc, struct nsHTMLReflowState * aReflowState = 0x0012ea18, unsigned int * aStatus = 0x0012ec0c)+0x22b 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsgfxscrollframe.cpp @ 840]
0012e98c 1017d26d xul!nsContainerFrame::ReflowChild(class nsIFrame * aKidFrame = 0x00000007, class nsPresContext * aPresContext = 0x00000000, 

struct nsHTMLReflowMetrics * aDesiredSize = 0x042f38a0, struct nsHTMLReflowState * aReflowState = 0x04ea9800, int aX = 0n89262368, int aY = 

0n85807320, unsigned int aFlags = 0x1418400, unsigned int * aStatus = 0x01d83ea4, class nsOverflowContinuationTracker * aTracker = 

0x02d106c0)+0x6d [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nscontainerframe.cpp @ 800]
0012eb6c 10154316 xul!ViewportFrame::Reflow(class nsPresContext * aPresContext = 0x02d107d0, struct nsHTMLReflowMetrics * aDesiredSize = 

0x0012ebd0, struct nsHTMLReflowState * aReflowState = 0x0012ec10, unsigned int * aStatus = 0x0012ec0c)+0x10d 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsviewportframe.cpp @ 287]
0012ecbc 100c53ab xul!PresShell::DoReflow(class nsIFrame * target = 0x05569628, int aInterruptible = 0n1)+0x446 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\base\nspresshell.cpp @ 7314]
0012ece8 100d7449 xul!PresShell::ProcessReflowCommands(int aInterruptible = 0n1)+0xeb 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\base\nspresshell.cpp @ 7432]
0012f338 100c015b xul!PresShell::FlushPendingNotifications(mozFlushType aType = 0n47253456 (No matching enumerant))+0x259 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\base\nspresshell.cpp @ 4910]
0012f344 100de426 xul!PresShell::WillPaint(void)+0x2b 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\base\nspresshell.cpp @ 6952]
0012f39c 100cb1da xul!nsViewManager::DispatchEvent(class nsGUIEvent * aEvent = 0x0012f4bc, class nsIView * aView = 0x0551f280, nsEventStatus 

* aStatus = 0x0012f3d0)+0x246 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\view\src\nsviewmanager.cpp @ 992]
0012f3c8 101915a5 xul!HandleEvent(class nsGUIEvent * aEvent = 0x100af67b)+0x10a 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\view\src\nsview.cpp @ 168]
0012f3dc 1019156d xul!nsWindow::DispatchEvent(class nsGUIEvent * event = 0x00000000, nsEventStatus * aStatus = 0x22ae0aab)+0x25 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nswindow.cpp @ 2979]
0012f3f0 100af67b xul!nsWindow::DispatchWindowEvent(class nsGUIEvent * event = 0x00000000)+0x13 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nswindow.cpp @ 3008]
0012f5c8 100bad7a xul!nsWindow::OnPaint(struct HDC__ * aDC = 0x00000000)+0xab 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nswindowgfx.cpp @ 385]
0012f6d0 100d00e5 xul!nsWindow::ProcessMessage(unsigned int msg = 0xf, unsigned int * wParam = 0x0012f71c, long * lParam = 0x0012f720, long * 

aRetValue = 0x0012f700)+0x15a [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nswindow.cpp @ 4028]
0012f70c 7e418734 xul!nsWindow::WindowProc(struct HWND__ * hWnd = <Memory access error>, unsigned int msg = <Memory access error>, unsigned 

int wParam = <Memory access error>, long lParam = <Memory access error>)+0xf5 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nswindow.cpp @ 3727]
0012f738 7e418816 USER32!InternalCallWinProc+0x28
0012f7a0 7e428ea0 USER32!UserCallWinProcCheckWow+0x150
0012f7f4 7e428eec USER32!DispatchClientMessage+0xa3
0012f81c 7c90e473 USER32!__fnDWORD+0x24
0012f840 7e42aef1 ntdll!KiUserCallbackDispatcher+0x13
0012f854 10242510 USER32!NtUserCallHwndLock+0xc
0012f860 7e42a4e8 xul!nsWindow::DispatchStarvedPaints(struct HWND__ * aWnd = 0x7e42b109, long aMsg = 0n0)+0x32 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nswindow.cpp @ 3119]
0012f880 7e42b109 USER32!InternalEnumWindows+0x5a
0012f8a0 102308c0 USER32!EnumChildWindows+0x19
0012f8b4 103f278d xul!nsWindow::DispatchPendingEvents(void)+0x5a 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nswindow.cpp @ 3156]
0012f9b8 100d00e5 xul!nsWindow::ProcessMessage+0x337b6d
0012f9f4 7e418734 xul!nsWindow::WindowProc(struct HWND__ * hWnd = <Memory access error>, unsigned int msg = <Memory access error>, unsigned 

int wParam = <Memory access error>, long lParam = <Memory access error>)+0xf5 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nswindow.cpp @ 3727]
0012fa20 7e418816 USER32!InternalCallWinProc+0x28
0012fa88 7e4189cd USER32!UserCallWinProcCheckWow+0x150
0012fae8 7e418a10 USER32!DispatchMessageWorker+0x306
0012faf8 100d23ae USER32!DispatchMessageW+0xf
0012fb60 004eeeea xul!nsAppShell::ProcessNextNativeEvent(int mayWait = 0n279129616)+0xae 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nsappshell.cpp @ 179]
0012fb84 100f4115 nspr4!PR_IntervalNow(void)+0x1a 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\nsprpub\pr\src\misc\prinrval.c @ 78]
0012fbc0 1015fa66 xul!nsThread::ProcessNextEvent(int mayWait = <Memory access error>, int * result = <Memory access error>)+0x155 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\xpcom\threads\nsthread.cpp @ 510]
0012fc00 1022a073 xul!mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate * aDelegate = 0x10a32e28)+0x196 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\ipc\glue\messagepump.cpp @ 135]
0012fc3c 1022a03b xul!MessageLoop::RunHandler(void)+0x26 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\ipc\chromium\src\base\message_loop.cc @ 200]
0012fc74 10229140 xul!MessageLoop::Run(void)+0x1f 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\ipc\chromium\src\base\message_loop.cc @ 174]
0012fc80 1022a1eb xul!nsBaseAppShell::Run(void)+0x34 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\xpwidgets\nsbaseappshell.cpp @ 180]
0012fc8c 1002e9fd xul!nsAppStartup::Run(void)+0x1e 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\toolkit\components\startup\src\nsappstartup.cpp @ 184]
0012ff34 0040133b xul!XRE_main(int argc = 0n1, char ** argv = 0x008240a8, struct nsXREAppData * aAppData = 0x00813300)+0xdc3 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\toolkit\xre\nsapprunner.cpp @ 3485]
0012ff80 004016c2 firefox!wmain(int argc = 0n1, wchar_t ** argv = 0x00832080)+0x33b 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\toolkit\xre\nswindowswmain.cpp @ 120]
0012ffc0 7c817077 firefox!__tmainCRTStartup(void)+0x152 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\obj-firefox\memory\jemalloc\crtsrc\crtexe.c @ 591]
0012fff0 00000000 kernel32!BaseProcessStart+0x23
              ^ User interrupted operation error in '|* ~* kp'

===============================================================

0:000> |* !analyze -v -f
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

GetPageUrlData failed, server returned HTTP status 404
URL requested: http://watson.microsoft.com/StageOne/firefox_exe/1_9_2_3989/kernel32_dll/5_1_2600_5781/00012afb.htm?Retriage=1

FAULTING_IP: 
kernel32!RaiseException+53
7c812afb 5e              pop     esi

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 7c812afb (kernel32!RaiseException+0x00000053)
   ExceptionCode: e06d7363 (C++ EH exception)
  ExceptionFlags: 00000001
NumberParameters: 3
   Parameter[0]: 19930520
   Parameter[1]: 0012a874
   Parameter[2]: 781caa34
!cppexr ffffffffffffffff
*************************************************************************
***                                                                   ***
***                                                                   ***
***    Your debugger is not using the correct symbols                 ***
***                                                                   ***
***    In order for this command to work properly, your symbol path   ***
***    must point to .pdb files that have full type information.      ***
***                                                                   ***
***    Certain .pdb files (such as the public OS symbols) do not      ***
***    contain the required information.  Contact the group that      ***
***    provided you with these symbols if you need this command to    ***
***    work.                                                          ***
***                                                                   ***
***    Type referenced: msvcrt!EHExceptionRecord                      ***
***                                                                   ***
*************************************************************************

FAULTING_THREAD:  00000f9c

DEFAULT_BUCKET_ID:  APPLICATION_FAULT

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0xe06d7363 - <Unable to get error code text>

EXCEPTION_CODE: (NTSTATUS) 0xe06d7363 - <Unable to get error code text>

EXCEPTION_PARAMETER1:  19930520

EXCEPTION_PARAMETER2:  0012a874

EXCEPTION_PARAMETER3:  781caa34

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  70

APPLICATION_VERIFIER_FLAGS:  0

PRIMARY_PROBLEM_CLASS:  APPLICATION_FAULT

BUGCHECK_STR:  APPLICATION_FAULT_APPLICATION_FAULT

LAST_CONTROL_TRANSFER:  from 7815c52b to 7c812afb

STACK_TEXT:  
0012a82c 7815c52b e06d7363 00000001 00000003 kernel32!RaiseException+0x53
0012a864 78164f13 0012a874 781caa34 781ac11c MOZCRT19!_CxxThrowException+0x46 [f:\sp\vctools\crt_bld\self_x86\crt\prebuild\eh\throw.cpp @ 

161]
0012a87c 101980f5 0bebc21c 0012afd0 0012a90c MOZCRT19!operator new+0x73 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\obj-firefox\memory\jemalloc\crtsrc\new.cpp @ 61]
0012a898 100f9e65 2e000008 02faf06f 0012a90c xul!gfxWindowsFontGroup::MakeTextRun+0x24 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\gfx\thebes\src\gfxwindowsfonts.cpp @ 1487]
0012aef8 101ba0f2 28000008 02faf06e 0012afd0 xul!TextRunWordCache::MakeTextRun+0x605 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\gfx\thebes\src\gfxtextrunwordcache.cpp @ 685]
0012af20 100fc491 28000008 02faf06e 0012afd0 xul!MakeTextRun+0x39 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 493]
0012c424 10110ebc 0012d4b0 0557fe58 0012d788 xul!BuildTextRunsScanner::BuildTextRunForFrames+0xae1 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 1840]
0012d454 100e93ba 00000001 00000000 0012d8a4 xul!BuildTextRunsScanner::FlushFrames+0xac 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 1272]
0012d4c8 5ad799fa 00000000 01ddcf40 00000000 xul!BuildTextRuns+0x32a 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 1206]
0012d4e8 5ad77402 00000000 00000000 0012da54 uxtheme!_OpenThemeData+0x52
0012d508 10106786 04ea9c00 05550ea8 00000001 uxtheme!OpenThemeData+0x56
0012d520 1037663f 05520100 05550ea8 00000001 xul!nsNativeThemeWin::ThemeSupportsWidget+0x116 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nsnativethemewin.cpp @ 1741]
0012d578 10132419 0012d5d0 00000000 00000000 xul!nsIFrame::FinishAndStoreOverflow+0x2372df
0012d598 10300926 00000000 00000000 1016741b xul!nsIFrame::InvalidateWithFlags+0x59 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsframe.cpp @ 3641]
0012d5a4 1016741b 0012d5d0 0012d768 000003c0 xul!nsIFrame::Invalidate+0xb 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\obj-firefox\dist\include\nsiframe.h @ 1756]
0012d720 00354e79 00000000 40000000 0012d734 xul!nsBlockFrame::ReflowLine+0xdb 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 2479]
0012d788 100e9687 01d62100 04a8d9b0 0012dc3c js3250!js_TraceObject+0x99 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\js\src\jsobj.cpp @ 5679]
0012d7e4 100f6eb1 01d62100 01d62100 0557ce68 xul!nsTextFrame::EnsureTextRun+0xb7 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 2116]
0012d9c4 1014557d 04a8d9b0 02d107d0 0012da2c xul!nsTextFrame::Reflow+0x241 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nstextframethebes.cpp @ 6273]
0012db30 10157671 04a8d9b0 0012db58 00000000 xul!nsLineLayout::ReflowFrame+0x42d 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nslinelayout.cpp @ 848]
0012db6c 1015796d 0557ce68 0012de90 0012dc20 xul!nsBlockFrame::ReflowInlineFrame+0x31 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 3759]
0012dbc0 101671e2 0557ce68 00000000 0012dc20 xul!nsBlockFrame::DoReflowInlineFrames+0xfd 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 3575]
0012dcc4 101673b0 0557ce68 0557fe58 0012dda0 xul!nsBlockFrame::ReflowInlineFrames+0x1f2 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 3424]
0012dd64 1016573f 0557ce68 0557fe58 0012dda0 xul!nsBlockFrame::ReflowLine+0x70 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 2463]
0012de10 1014e23d 0557ce68 0012de90 000001e0 xul!nsBlockFrame::ReflowDirtyLines+0x1ef 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 1922]
0012df78 1016ea55 0557ce68 02d107d0 0012e08c xul!nsBlockFrame::Reflow+0x27d 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 993]
0012df9c 101681d4 0012e008 00000001 00000000 xul!nsBlockReflowContext::ReflowBlock+0xd5 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockreflowcontext.cpp @ 311]
0012e250 1016747e 0557cb58 0012e420 0557cec0 xul!nsBlockFrame::ReflowBlockFrame+0x424 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 3147]
0012e2f4 1016573f 0557cb58 0557cec0 0012e330 xul!nsBlockFrame::ReflowLine+0x13e 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 2408]
0012e3a0 1014e23d 0557cb58 0012e420 00000000 xul!nsBlockFrame::ReflowDirtyLines+0x1ef 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 1922]
0012e50c 1017cdad 0557cb58 02d107d0 0012e5cc xul!nsBlockFrame::Reflow+0x27d 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsblockframe.cpp @ 993]
0012e544 10092887 0557cb58 02d107d0 0012e5cc xul!nsContainerFrame::ReflowChild+0x6d 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nscontainerframe.cpp @ 800]
0012e6b4 1017cdad 05569a40 02d107d0 0012e84c xul!CanvasFrame::Reflow+0x157 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nshtmlframe.cpp @ 553]
0012e6ec 1017cc2f 05569a40 02d107d0 0012e84c xul!nsContainerFrame::ReflowChild+0x6d 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nscontainerframe.cpp @ 800]
0012e7f8 10088251 0012e8d0 00000000 00000001 xul!nsHTMLScrollFrame::ReflowScrolledFrame+0x19f 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsgfxscrollframe.cpp @ 553]
0012e884 1017ea2b 05569b50 0551fca0 05569b50 xul!nsHTMLScrollFrame::ReflowContents+0x81 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsgfxscrollframe.cpp @ 640]
0012e954 1017cdad 05569b50 02d107d0 0012e9dc xul!nsHTMLScrollFrame::Reflow+0x22b 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsgfxscrollframe.cpp @ 840]
0012e98c 1017d26d 05569b50 02d107d0 0012e9dc xul!nsContainerFrame::ReflowChild+0x6d 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nscontainerframe.cpp @ 800]
0012eb6c 10154316 05569628 02d107d0 0012ebd0 xul!ViewportFrame::Reflow+0x10d 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\generic\nsviewportframe.cpp @ 287]
0012ecbc 100c53ab 042f38a0 05569628 00000001 xul!PresShell::DoReflow+0x446 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\base\nspresshell.cpp @ 7314]
0012ece8 100d7449 00000001 00000020 00000006 xul!PresShell::ProcessReflowCommands+0xeb 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\base\nspresshell.cpp @ 7432]
0012f338 100c015b 042f38a0 00000004 100de426 xul!PresShell::FlushPendingNotifications+0x259 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\base\nspresshell.cpp @ 4910]
0012f344 100de426 042f3924 0551f280 0012f3c8 xul!PresShell::WillPaint+0x2b 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\layout\base\nspresshell.cpp @ 6952]
0012f39c 100cb1da 0551f220 0012f4bc 0551f280 xul!nsViewManager::DispatchEvent+0x246 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\view\src\nsviewmanager.cpp @ 992]
0012f3c8 101915a5 00000001 00000000 00000000 xul!HandleEvent+0x10a 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\view\src\nsview.cpp @ 168]
0012f3dc 1019156d 050a5d00 0012f4bc 0012f3f8 xul!nsWindow::DispatchEvent+0x25 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nswindow.cpp @ 2979]
0012f3f0 100af67b 00000000 22ae0aab 0012f720 xul!nsWindow::DispatchWindowEvent+0x13 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nswindow.cpp @ 3008]
0012f5c8 100bad7a 00000000 22ae0b73 050a5d00 xul!nsWindow::OnPaint+0xab 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nswindowgfx.cpp @ 385]
0012f6d0 100d00e5 0000000f 0012f71c 0012f720 xul!nsWindow::ProcessMessage+0x15a 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nswindow.cpp @ 4028]
0012f70c 7e418734 00000001 0000000f 00000000 xul!nsWindow::WindowProc+0xf5 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nswindow.cpp @ 3727]
0012f738 7e418816 100cfff0 000c090e 0000000f USER32!InternalCallWinProc+0x28
0012f7a0 7e428ea0 00000000 100cfff0 000c090e USER32!UserCallWinProcCheckWow+0x150
0012f7f4 7e428eec 00bb49e0 0000000f 00000000 USER32!DispatchClientMessage+0xa3
0012f81c 7c90e473 0012f82c 00000018 00bb49e0 USER32!__fnDWORD+0x24
0012f840 7e42aef1 7e42aedc 000c090e 0000005e ntdll!KiUserCallbackDispatcher+0x13
0012f854 10242510 000c090e 01e9df60 7e42a4e8 USER32!NtUserCallHwndLock+0xc
0012f860 7e42a4e8 000c090e 00000000 050a5d00 xul!nsWindow::DispatchStarvedPaints+0x32 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nswindow.cpp @ 3119]
0012f880 7e42b109 00000000 002e077c 102424de USER32!InternalEnumWindows+0x5a
0012f8a0 102308c0 002e077c 102424de 00000000 USER32!EnumChildWindows+0x19
0012f8b4 103f278d 22ae066b 050a5d00 00000202 xul!nsWindow::DispatchPendingEvents+0x5a 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nswindow.cpp @ 3156]
0012f9b8 100d00e5 00000202 0012fa04 0012fa08 xul!nsWindow::ProcessMessage+0x337b6d
0012f9f4 7e418734 00000001 00000202 00000000 xul!nsWindow::WindowProc+0xf5 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nswindow.cpp @ 3727]
0012fa20 7e418816 100cfff0 000c090e 00000202 USER32!InternalCallWinProc+0x28
0012fa88 7e4189cd 00000000 100cfff0 000c090e USER32!UserCallWinProcCheckWow+0x150
0012fae8 7e418a10 0012fb14 00000000 008cf7c0 USER32!DispatchMessageWorker+0x306
0012faf8 100d23ae 0012fb14 008cf7c4 008cf7c0 USER32!DispatchMessageW+0xf
0012fb60 004eeeea 100d257c 00000001 00000000 xul!nsAppShell::ProcessNextNativeEvent+0xae 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\windows\nsappshell.cpp @ 179]
0012fb84 100f4115 00000000 00814330 00000001 nspr4!PR_IntervalNow+0x1a 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\nsprpub\pr\src\misc\prinrval.c @ 78]
0012fbc0 1015fa66 00000000 00000001 0012fbf0 xul!nsThread::ProcessNextEvent+0x155 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\xpcom\threads\nsthread.cpp @ 510]
0012fc00 1022a073 0083f300 22ae0297 00814330 xul!mozilla::ipc::MessagePump::Run+0x196 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\ipc\glue\messagepump.cpp @ 135]
0012fc3c 1022a03b 22ae02df 00814330 008cf7c0 xul!MessageLoop::RunHandler+0x26 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\ipc\chromium\src\base\message_loop.cc @ 200]
0012fc74 10229140 00000000 0141f310 1022a1eb xul!MessageLoop::Run+0x1f 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\ipc\chromium\src\base\message_loop.cc @ 174]
0012fc80 1022a1eb 008cf7c0 004ed950 1002e9fd xul!nsBaseAppShell::Run+0x34 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\widget\src\xpwidgets\nsbaseappshell.cpp @ 180]
0012fc8c 1002e9fd 0141f310 008240a8 00000001 xul!nsAppStartup::Run+0x1e 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\toolkit\components\startup\src\nsappstartup.cpp @ 184]
0012ff34 0040133b 00000001 008240a8 00813300 xul!XRE_main+0xdc3 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\toolkit\xre\nsapprunner.cpp @ 3485]
0012ff80 004016c2 00000001 00832080 00811700 firefox!wmain+0x33b 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\toolkit\xre\nswindowswmain.cpp @ 120]
0012ffc0 7c817077 00f1f6ee 00f1f77a 7ffd8000 firefox!__tmainCRTStartup+0x152 

[e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\obj-firefox\memory\jemalloc\crtsrc\crtexe.c @ 591]
0012fff0 00000

FOLLOWUP_IP: 
MOZCRT19!operator new+73 [e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\obj-firefox\memory\jemalloc\crtsrc\new.cpp @ 61]
78164f13 83c40c          add     esp,0Ch

FAULTING_SOURCE_CODE:  
No source found for 'e:\builds\moz2_slave\release-mozilla-1.9.2-win32_build\build\obj-firefox\memory\jemalloc\crtsrc\new.cpp'


SYMBOL_STACK_INDEX:  2

SYMBOL_NAME:  mozcrt19!operator new+73

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: MOZCRT19

IMAGE_NAME:  MOZCRT19.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4cf914e9

STACK_COMMAND:  ~0s ; kb

FAILURE_BUCKET_ID:  APPLICATION_FAULT_e06d7363_MOZCRT19.dll!operator_new

BUCKET_ID:  APPLICATION_FAULT_APPLICATION_FAULT_mozcrt19!operator_new+73

WATSON_STAGEONE_URL:  

http://watson.microsoft.com/StageOne/firefox_exe/1_9_2_3989/4cf9293f/kernel32_dll/5_1_2600_5781/49c4f482/e06d7363/00012afb.htm?Retriage=1

Followup: MachineOwner
---------

0:000> |* lm
start    end        module name
00280000 002fb000   sqlite3    (private pdb symbols)  c:\symbols\sqlite3.pdb\1BAFC49C00004BCB9A2A4A4E111D39321\sqlite3.pdb
00300000 003fa000   js3250     (private pdb symbols)  c:\symbols\js3250.pdb\69F17842AE164654A7D27C2518CB49612\js3250.pdb
00400000 004e0000   firefox    (private pdb symbols)  c:\symbols\firefox.pdb\5F0662B9EA55440192592EA0466AA8412\firefox.pdb
004e0000 00511000   nspr4      (private pdb symbols)  c:\symbols\nspr4.pdb\F787D7B9247241689CD65A164D69241F1\nspr4.pdb
00520000 00538000   smime3     (private pdb symbols)  c:\symbols\smime3.pdb\170D36FCB90B4E06A2D577C8E6E68AE41\smime3.pdb
00540000 005dd000   nss3       (private pdb symbols)  c:\symbols\nss3.pdb\CFCECAA4E5D7442F81E09CA566EE4E6B1\nss3.pdb
005e0000 005f4000   nssutil3   (private pdb symbols)  c:\symbols\nssutil3.pdb\7188D66E46CB4697BAF0D94FF049E7FD1\nssutil3.pdb
00600000 00607000   plc4       (private pdb symbols)  c:\symbols\plc4.pdb\678D7414A7CC489291134EA05B19E7131\plc4.pdb
00610000 00617000   plds4      (private pdb symbols)  c:\symbols\plds4.pdb\8885F9ABCC4A4265B2C2FAD0304873681\plds4.pdb
00620000 00641000   ssl3       (private pdb symbols)  c:\symbols\ssl3.pdb\C4A53415B93E4A77B69DCEB1063699011\ssl3.pdb
00650000 00657000   xpcom      (private pdb symbols)  c:\symbols\xpcom.pdb\4DA33B9A17324C4FBF6A44B5040D56B22\xpcom.pdb
01190000 01198000   browserdirprovider   (deferred)             
013b0000 013d4000   brwsrcmp   (deferred)             
02400000 026c5000   xpsp2res   (deferred)             
02ad0000 02af6000   softokn3   (deferred)             
03300000 03433000   urlmon     (deferred)             
03440000 03458000   nssdbm3    (deferred)             
03460000 034a1000   freebl3    (deferred)             
03a00000 03a52000   nssckbi    (deferred)             
043b0000 043b9000   Normaliz   (deferred)             
10000000 10b55000   xul        (private pdb symbols)  c:\symbols\xul.pdb\CE2DF3F0B6EE465A9E403E5F147CEF692\xul.pdb
16080000 16099000   mdnsNSP    (deferred)             
3d930000 3da16000   WININET    (deferred)             
3dfd0000 3e1b9000   iertutil   (deferred)             
59a60000 59b01000   dbghelp    (deferred)             
5ad70000 5ada8000   uxtheme    (pdb symbols)          c:\symbols\uxtheme.pdb\E99E16308F094767B1F07FB5C3E5E2462\uxtheme.pdb
5b860000 5b8b5000   netapi32   (deferred)             
662b0000 66308000   hnetcfg    (deferred)             
71a50000 71a8f000   mswsock    (pdb symbols)          c:\symbols\mswsock.pdb\CC64D9118D4E458292AF634D2C79EF662\mswsock.pdb
71a90000 71a98000   wshtcpip   (deferred)             
71aa0000 71aa8000   WS2HELP    (pdb symbols)          c:\symbols\ws2help.pdb\6049CF5877C54E2AB512ABC1B4B2E7992\ws2help.pdb
71ab0000 71ac7000   WS2_32     (pdb symbols)          c:\symbols\ws2_32.pdb\A7605F8695A34329B38DDB8421A004CA2\ws2_32.pdb
71ad0000 71ad9000   WSOCK32    (pdb symbols)          c:\symbols\wsock32.pdb\2B38FE8F84144DACB8A4FD07C05E49FC2\wsock32.pdb
71bf0000 71c03000   SAMLIB     (deferred)             
72d10000 72d18000   msacm32    (deferred)             
72d20000 72d29000   wdmaud     (pdb symbols)          c:\symbols\wdmdrv.pdb\CC3EC71E05C44E6595271A6773E15AF21\wdmdrv.pdb
73000000 73026000   WINSPOOL   (pdb symbols)          c:\symbols\winspool.pdb\5199B63B39904A05A517CEE5158071522\winspool.pdb
73b30000 73b45000   mscms      (deferred)             
73ce0000 73d01000   t2embed    (deferred)             
73dc0000 73dc3000   LZ32       (deferred)             
74d90000 74dfb000   USP10      (pdb symbols)          c:\symbols\usp10.pdb\D4BA2952809F469BB6D1D3AF6B956E6B1\usp10.pdb
754d0000 75550000   CRYPTUI    (deferred)             
755c0000 755ee000   msctfime   (deferred)             
75f80000 7607d000   browseui   (pdb symbols)          c:\symbols\browseui.pdb\642459263F8947F0A92935BCC87EF8502\browseui.pdb
76380000 76385000   MSIMG32    (pdb symbols)          c:\symbols\msimg32.pdb\D2E18526D8234F4BB5A85DE12E71DE812\msimg32.pdb
76390000 763ad000   IMM32      (pdb symbols)          c:\symbols\imm32.pdb\F7A5B5DB13324153B57AAF340C77EA512\imm32.pdb
763b0000 763f9000   COMDLG32   (pdb symbols)          c:\symbols\comdlg32.pdb\026A6FF770FD4E6186ADBBE96DFFA99C2\comdlg32.pdb
76600000 7661d000   CSCDLL     (deferred)             
76980000 76988000   LINKINFO   (deferred)             
76990000 769b5000   ntshrui    (deferred)             
769c0000 76a74000   USERENV    (deferred)             
76b20000 76b31000   ATL        (deferred)             
76b40000 76b6d000   WINMM      (pdb symbols)          c:\symbols\winmm.pdb\90FC96D5AD8440A2B14855895BD92ED62\winmm.pdb
76c30000 76c5e000   WINTRUST   (deferred)             
76c90000 76cb8000   IMAGEHLP   (deferred)             
76d60000 76d79000   iphlpapi   (deferred)             
76f20000 76f47000   DNSAPI     (deferred)             
76f60000 76f8c000   WLDAP32    (deferred)             
76fb0000 76fb8000   winrnr     (deferred)             
76fc0000 76fc6000   rasadhlp   (deferred)             
76fd0000 7704f000   CLBCATQ    (deferred)             
77050000 77115000   COMRes     (deferred)             
77120000 771ab000   OLEAUT32   (pdb symbols)          c:\symbols\oleaut32.pdb\F2A209009B694EFCAD1A6CE9D992EBC12\oleaut32.pdb
773d0000 774d3000   COMCTL32   (pdb symbols)          

c:\symbols\MicrosoftWindowsCommon-Controls-6.0.2600.6028-comctl32.pdb\E882C2C890724D598449E20A4FE6F07C1\MicrosoftWindowsCommon-Controls-6.0.2

600.6028-comctl32.pdb
774e0000 7761e000   ole32      (pdb symbols)          c:\symbols\ole32.pdb\0E73207536D64E9C9FB83C682ED9E5852\ole32.pdb
77690000 776b1000   NTMARTA    (deferred)             
77920000 77a13000   SETUPAPI   (deferred)             
77a20000 77a74000   cscui      (deferred)             
77a80000 77b15000   CRYPT32    (deferred)             
77b20000 77b32000   MSASN1     (deferred)             
77b40000 77b62000   appHelp    (deferred)             
77be0000 77bf5000   MSACM32_77be0000   (deferred)             
77c00000 77c08000   VERSION    (pdb symbols)          c:\symbols\version.pdb\EA3D1BD3FE65475C8449C8D8B00722962\version.pdb
77c10000 77c68000   msvcrt     (pdb symbols)          c:\symbols\msvcrt.pdb\7BCF30D8C91B4F1B85FA4E55896250111\msvcrt.pdb
77dd0000 77e6b000   ADVAPI32   (pdb symbols)          c:\symbols\advapi32.pdb\F759D3F1C6614313B07C84BC33F02E4D2\advapi32.pdb
77e70000 77f03000   RPCRT4     (pdb symbols)          c:\symbols\rpcrt4.pdb\1A465C67828242F28A8C70E3B9D5C4772\rpcrt4.pdb
77f10000 77f59000   GDI32      (pdb symbols)          c:\symbols\gdi32.pdb\372C0F0E08FB456EAB7B4CB2B53E27952\gdi32.pdb
77f60000 77fd6000   SHLWAPI    (pdb symbols)          c:\symbols\shlwapi.pdb\483E8894476B412DABC2FBA7F470E39A2\shlwapi.pdb
77fe0000 77ff1000   Secur32    (pdb symbols)          c:\symbols\secur32.pdb\7867B3F28B5C41CE847895E3FC013DC52\secur32.pdb
78130000 781e0000   MOZCRT19   (private pdb symbols)  c:\symbols\MOZCRT19.pdb\858730465F3145B29B80F27A3951F51D1\MOZCRT19.pdb
7c420000 7c4cf000   MOZCPP19   (private pdb symbols)  c:\symbols\MOZCPP19.pdb\34C925AE579D4137997D5DA3BCFD97F91\MOZCPP19.pdb
7c800000 7c8f6000   kernel32   (pdb symbols)          c:\symbols\kernel32.pdb\072FF0EB54D24DFAAE9D13885486EE092\kernel32.pdb
7c900000 7c9b2000   ntdll      (pdb symbols)          c:\symbols\ntdll.pdb\F4A80DFE21AB470283A67112A7DCC73F2\ntdll.pdb
7c9c0000 7d1d7000   SHELL32    (pdb symbols)          c:\symbols\shell32.pdb\D664FA74256F458FBBCC8D4A941819392\shell32.pdb
7e290000 7e401000   SHDOCVW    (deferred)             
7e410000 7e4a1000   USER32     (pdb symbols)          c:\symbols\user32.pdb\D18A41B74E7F458CAAAC1847E2D8BF022\user32.pdb

Unloaded modules:
72d20000 72d29000   wdmaud.drv
02010000 02029000   vct3216.acm
74e30000 74e9d000   RichEd20.dll
(Reporter)

Comment 1

8 years ago
Created attachment 500735 [details]
Testcase.

Will crash Firefox.
(Reporter)

Comment 2

8 years ago
I must add that the PoC attached is a bit different from the stack trace above. The results is the same, but I changed a piece of code. Since I am still researching it I figured it didn't matter much. 

I used:

var header = unescape("%u4141%u4141%u4141");

instead of:

var header = unescape("%u0000%u0000%u0000");

Hence the 0x41414141 in  this diagram:

0012d4c8 5ad799fa xul!BuildTextRuns(class gfxContext * aContext = 0x41414141,
class nsTextFrame * aForFrame = 0x41414141, class nsIFrame * aLineContainer = 0x00000000, class nsLineList_iterator * aForFrameLine =
0x41414141)+0x32a
(Reporter)

Updated

8 years ago
Keywords: crash
Summary: Serious buffer overflow on TextRun. → Buffer overflow on TextRun.
I ran the testcase on the latest Mac and Win 7 trunk nightly as well as Win 7 3.6.13 and I did not get a crash - the browser freezes and I have to force quit.
(Reporter)

Comment 4

8 years ago
Hi Marcia,

Can you try it with only the testcase in 1 tab? so no further open tabs. It seems if you have more than one tab open, the testcase will fail. Probably due to memory management? When I open the testcase in 1 tab, memory increases exponentially: 100MB, 200MB, 400MB, 800MB, 1600MB ...Until it hits the floor, which is 3GB in my case.
Confirming crash using the latest 1.9.2 nightly on XP:
bp-dced8e84-09c0-42d0-8eda-a528d2110110
All my crashes are safe OOM aborts from 'operator new' called from
gfxTextRun::AllocateDetailedGlyphs

The attached testcase here looks similar to the one in bug 504342
so I suspect it's the same underlying problem.
Status: UNCONFIRMED → NEW
Component: Security → Graphics
Ever confirmed: true
Keywords: reproducible, testcase
Product: Firefox → Core
QA Contact: firefox → thebes
Created attachment 502590 [details]
Testcase #2, using "%u4141%u4141%u4141"

Using "%u4141%u4141%u4141" instead of "%u0000%u0000%u0000" (as suggested
in comment 2) triggers a safe OOM abort from TextRunWordCache::MakeTextRun
instead, as reported in comment 0.
bp-4f45fb5e-6281-4d85-a9a3-cf77f2110110
This looks like another version of "put ever-increasing amounts of text into the document, and eventually memory allocation will fail and we'll crash". It's not really clear to me whether there's anything more interesting/sinister than straightforward OOM abort - which can manifest as either a crash deliberately triggered from mozalloc or as a Windows exception thrown by operator new. (See bug 607160 for another similar-looking example.)
(Reporter)

Comment 9

8 years ago
Mats, 504342 = (Firefox 3.5 unicode stack overflow) is originally discovered by Andrew Haynes & Simon Berry-Byrne (http://packetstormsecurity.org/files/view/79253/firefox35unicode-overflow.txt) but has been claimed by at least 12 people afterwards. It pops up everywhere, but has been addressed at least two times in Firefox. See bug 587474 bug 504343 bug 583077 and got accredited to the wrong person in MFSA 2010-65. So it has been fixed twice. Curious.

Jonathan, I can't view bug 607160, no access :)
(Reporter)

Comment 10

8 years ago
Bug 618234 seems similar, if you'll agree I stop searching for similar bugs.
Right, it's more like bug 618234 and bug 610102.
I don't see any evidence of "buffer overflow" though, just an OOM.
Whiteboard: [sg:dos?][oom]
(Reporter)

Comment 12

8 years ago
Been a while since I was delving in Firefox, bit rusty. Didn't know that a crash was an expected abort these days. But, we don't have to crash of course. It's only a PoC that we can control unlimited memory, which in itself is bad for obvious reasons. Would appreciate Mozilla's stance on this.
(Reporter)

Comment 13

8 years ago
Another TextRun variation I just produced: bug 628228 with an integer overflow. A "safe abort" on an exception doesn't mean we can't control the stack before it throws. SEH's can be exploited, but it requires massive work and time that I just don't have, only can do so much.
Group: core-security
Duplicate of this bug: 1190556
Dan, do you know if this bug is still relevant?
Flags: needinfo?(dveditz)
Whiteboard: [sg:dos?][oom] → [sg:dos?][oom][gfx-noted]
What do you mean by "relevant"? It's got a testcase that still crashes Firefox. It's not exploitable to take over Firefox, but it could be used to annoy users. It would be nice if web pages couldn't crash Firefox. We are introducing e10s so a crashing page won't take Firefox itself down, but it still takes other tabs with it would is still an interruption and possibly loss of work in those tabs.
Flags: needinfo?(dveditz)
(In reply to Daniel Veditz [:dveditz] from comment #16)
> What do you mean by "relevant"? It's got a testcase that still crashes
> Firefox. It's not exploitable to take over Firefox, but it could be used to
> annoy users. 

If the testcase still reproduces for current Firefox versions then I would suggest this bug is still relevant and that answers my question.

> It would be nice if web pages couldn't crash Firefox. We are
> introducing e10s so a crashing page won't take Firefox itself down, but it
> still takes other tabs with it would is still an interruption and possibly
> loss of work in those tabs.

I agree but I think that's out of scope for this bug :)
You need to log in before you can comment on or make changes to this bug.