Last Comment Bug 638018 - (CVE-2011-2377) [1.9.2] crash [@ ycc_rgb_convert] on image with src set to a resource with multipart/x-mixed-replace content type
: [1.9.2] crash [@ ycc_rgb_convert] on image with src set to a resource with mu...
: verified1.9.2
Product: Core
Classification: Components
Component: General (show other bugs)
: 1.9.2 Branch
: All All
-- critical (vote)
: ---
Assigned To: Joe Drew (not getting mail)
Depends on: CVE-2010-1201 639303
  Show dependency treegraph
Reported: 2011-03-01 22:49 PST by Jordi Chancel
Modified: 2016-01-19 16:55 PST (History)
12 users (show)
rforbes: sec‑bounty+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

ScreenShot [ACCESS_VIOLATION_WRITE] (105.60 KB, image/png)
2011-03-01 22:53 PST, Jordi Chancel
no flags Details
TestCase1 (880 bytes, text/html)
2011-03-10 10:11 PST, Jordi Chancel
no flags Details
Testcase (154 bytes, text/html)
2011-06-13 23:45 PDT, Jordi Chancel
no flags Details

Description User image Jordi Chancel 2011-03-01 22:49:22 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv: Gecko/20110218 Firefox/3.6.14
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; fr; rv: Gecko/20110218 Firefox/3.6.14

Visiting a webpage that contains multiple images with the src-attribute that refers to a multipart/x-mixed-replace resource , Firefox 3.6.14 on windows crashes after some time with [Access_Violation_Write].

Tested on Windows 7

Reproducible: Always

Steps to Reproduce:
1. Visit test page
2. wait a few moments
Actual Results:  
Firefox crashes

Expected Results:  
Firefox don't crash

Like bug 610601 , This crash is very intermittent , sometimes firefox will crash after some seconds , and sometimes firefox don't crash at all.
Comment 1 User image Jordi Chancel 2011-03-01 22:53:29 PST
Created attachment 516185 [details]
Comment 3 User image Johnny Stenback (:jst, 2011-03-02 14:37:37 PST
Jordi, can you reproduce this with a 4.0 beta build? No crash here...
Comment 5 User image Jordi Chancel 2011-03-03 05:12:48 PST
Mozilla Firefox 3.6.14 crash again.

Please try with Mozilla Firefox 3.6.14
Comment 6 User image Jordi Chancel 2011-03-03 05:14:22 PST
(Please try with Mozilla Firefox 3.6.14 on Windows) no tested on Mac OS , linux or Solaris...
Comment 7 User image Daniel Veditz [:dveditz] 2011-03-03 13:35:42 PST
Crash-stats for this stack (see comment 4) look scary exploitable. Have not been able to repro myself, but socorro shows there's a real problem here somewhere.
Comment 8 User image Jordi Chancel 2011-03-03 13:41:17 PST
The crash is very intermittent , go to and wait .
Comment 9 User image Mats Palmgren (:mats) 2011-03-04 07:47:00 PST
Yeah, I can repro on Linux64 debug but it takes about 30 minutes each time.
GDB tells me this is an optimized image, as in bug 610601.
It's hard to debug because of the setjmp/longjmp error handling...
Comment 10 User image Jordi Chancel 2011-03-10 10:11:08 PST
Created attachment 518429 [details]

that's the image that crashes mozilla firefox
Comment 11 User image Jordi Chancel 2011-03-20 09:17:23 PDT
Not Fixed for 3.6.16?
Comment 12 User image Jesse Ruderman 2011-03-31 21:21:06 PDT
Let's see if the patch in bug 639303 fixes this.
Comment 13 User image Daniel Veditz [:dveditz] 2011-03-31 22:51:06 PDT
This doesn't happen _as_much_ in Firefox 4.0, but I do see a couple stacks that are the same as the scary one here.


This is essentially a dupe of bug 557107 but we might as well work on it in this bug that's already appropriately marked and hidden. Also this one links to a testcase that at least the reporter can reproduce with, even if we can't.

(In reply to comment #12)
> Let's see if the patch in bug 639303 fixes this.

That seems to be a completely different stack and a more reproducible case. In any case it's going to be hard to see if bug 639303 fixes this because even Jordi has trouble reproducing this on mozilla-central nightlies.
Comment 14 User image Jordi Chancel 2011-04-02 02:25:22 PDT
I will retry with 4.0
Comment 15 User image Daniel Veditz [:dveditz] 2011-04-02 09:02:42 PDT
The fix in bug 639303 has not landed yet. At this point you'll only be testing how hard it is to reproduce on 4.0.
Comment 16 User image Jordi Chancel 2011-04-27 03:50:48 PDT crash sometime more quickly .
Comment 17 User image Daniel Veditz [:dveditz] 2011-05-19 13:44:25 PDT
bug 639303 landed on 6.0a1 Nightlies last week and in Fx5 ("Aurora") 5/15. Does it still reproduce in a current Aurora build?
Comment 18 User image Jordi Chancel 2011-05-22 02:13:12 PDT
Aurora build don't crash. FIXED?
Comment 19 User image Mats Palmgren (:mats) 2011-05-22 08:08:02 PDT
It still crashes on the 1.9.2 branch.  Unfortunately the fix for bug 639303
doesn't apply on 1.9.2 or older.  Let's use this bug to handle 1.9.2 and
older branches and 639303 handle 2.0 and newer.
Comment 21 User image Jordi Chancel 2011-06-04 02:11:39 PDT
Fixed for the next release?
Comment 22 User image christian 2011-06-08 10:36:38 PDT
mats, we need to get this fixed on 1.9.2 ASAP as we will disclose it when we ship Fx5
Comment 23 User image Mats Palmgren (:mats) 2011-06-09 16:19:30 PDT
I tried to reproduce this for about an hour without any crash occurring.  - connection times out  - connection times out  - responds, but is very slow

I don't think it's meaningful for me to work on this bug without
steps to reproduce that will cause crashes.
Comment 24 User image Daniel Veditz [:dveditz] 2011-06-10 10:23:10 PDT
(In reply to comment #23)
>  - connection times out

The Sendai airport was hit by the Japanese tsunami.
Comment 25 User image christian 2011-06-10 10:38:29 PDT
I reproduced on Mac:

Loading (had to reload a couple of times to get the image to work):
Comment 26 User image Al Billings [:abillings] 2011-06-10 10:39:13 PDT
Reproduced on XP SP3 with last night's build within three minutes:

Comment 27 User image Al Billings [:abillings] 2011-06-10 10:39:55 PDT
Only thing different Dan and I did was disable the flash plugin to make things not pull in Flash data.
Comment 28 User image Daniel Veditz [:dveditz] 2011-06-10 10:40:08 PDT still crashes for me, takes < 3minutes to cycle through the images and hit the bad one on WinXP
Comment 29 User image Brandon Sterne (:bsterne) 2011-06-10 11:27:46 PDT
I made a testcase that does multipart/x-mixed-replace on an alternating pair of images. You can only hit it from the MV Office VPN, though:
Comment 30 User image Brandon Sterne (:bsterne) 2011-06-10 11:28:58 PDT
I haven't observed any crashes with the URL in comment 29, but perhaps the testcase needs to do something more complex than alternate between two images?
Comment 31 User image Daniel Veditz [:dveditz] 2011-06-10 12:22:23 PDT
This bug qualifies for the security bug bounty
Comment 32 User image Joe Drew (not getting mail) 2011-06-10 15:04:06 PDT
This bug is a duplicate of bug 524921, which we, for unfathomable reasons, thought did not apply to 1.9.2.
Comment 33 User image Joe Drew (not getting mail) 2011-06-10 15:37:36 PDT
I ported the patch from bug 524921 to 1.9.2 (trivial port).
Comment 34 User image Al Billings [:abillings] 2011-06-13 18:08:42 PDT
Verified for (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20110613 Firefox/3.6.18). The test page no longer crashes.
Comment 35 User image Jordi Chancel 2011-06-13 23:45:58 PDT
Created attachment 539135 [details]
Comment 36 User image Jordi Chancel 2011-06-16 03:18:29 PDT is sometime 404 

but i have a new testcase ( crash < 1 min )!
Comment 37 User image Jordi Chancel 2011-06-16 22:54:58 PDT
what is the CVE id?
Comment 38 User image Jordi Chancel 2011-06-20 21:43:57 PDT
No CVE for this Issue?

the fix release is for today isn't it?
Comment 39 User image Daniel Veditz [:dveditz] 2011-06-21 03:34:52 PDT
Comment 40 User image Trif Andrei-Alin[:AlinT] 2011-08-22 01:41:15 PDT
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/20110803 Firefox/3.6.20
Mozilla/5.0 (Windows NT 6.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Mozilla/5.0 (Windows NT 6.1; rv:9.0a1) Gecko/20110818 Firefox/9.0a1

So this issue was fixed?
I can't reproduce it, Firefox doesn't crash!

Note You need to log in before you can comment on or make changes to this bug.